Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ZZ.exe

Overview

General Information

Sample name:ZZ.exe
Analysis ID:1518239
MD5:aa4aca6b0973b169a4242718f04d9c54
SHA1:79212a9e32d3ae5f1778605a43fcb6a63b9fccb1
SHA256:2ff32c90e5a04d6a51e0360368daafe35396561f9687a27306f539ae0f354ade
Tags:147-45-44-131exeRemcosRATuser-JAMESWT_MHT
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Installs a global keyboard hook
Machine Learning detection for sample
Uses dynamic DNS services
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ZZ.exe (PID: 7656 cmdline: "C:\Users\user\Desktop\ZZ.exe" MD5: AA4ACA6B0973B169A4242718F04D9C54)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "sungito2.ddns.net:6509:1154.216.19.222:5532:1", "Assigned name": "SEPT 4", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-EIENFE", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
ZZ.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    ZZ.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
      ZZ.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        ZZ.exeWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6aab8:$a1: Remcos restarted by watchdog!
        • 0x6b030:$a3: %02i:%02i:%02i:%03i
        ZZ.exeREMCOS_RAT_variantsunknownunknown
        • 0x64b0c:$str_a1: C:\Windows\System32\cmd.exe
        • 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x64b7c:$str_b2: Executing file:
        • 0x65bfc:$str_b3: GetDirectListeningPort
        • 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x65728:$str_b7: \update.vbs
        • 0x64ba4:$str_b9: Downloaded file:
        • 0x64b90:$str_b10: Downloading file:
        • 0x64c34:$str_b12: Failed to upload file:
        • 0x65bc4:$str_b13: StartForward
        • 0x65be4:$str_b14: StopForward
        • 0x65680:$str_b15: fso.DeleteFile "
        • 0x65614:$str_b16: On Error Resume Next
        • 0x656b0:$str_b17: fso.DeleteFolder "
        • 0x64c24:$str_b18: Uploaded file:
        • 0x64be4:$str_b19: Unable to delete:
        • 0x65648:$str_b20: while fso.FileExists("
        • 0x650c1:$str_c0: [Firefox StoredLogins not found]
        Click to see the 1 entries

        Dropped Files

        SourceRuleDescriptionAuthorStrings
        C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000002.3857926378.000000000224F000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000000.00000000.1396938464.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              00000000.00000000.1396938464.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
                00000000.00000000.1396938464.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  00000000.00000000.1396938464.0000000000459000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x134b8:$a1: Remcos restarted by watchdog!
                  • 0x13a30:$a3: %02i:%02i:%02i:%03i
                  Click to see the 9 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  0.2.ZZ.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                    0.2.ZZ.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                      0.2.ZZ.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                        0.2.ZZ.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                        • 0x6aab8:$a1: Remcos restarted by watchdog!
                        • 0x6b030:$a3: %02i:%02i:%02i:%03i
                        0.2.ZZ.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                        • 0x64b0c:$str_a1: C:\Windows\System32\cmd.exe
                        • 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                        • 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                        • 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                        • 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                        • 0x64b7c:$str_b2: Executing file:
                        • 0x65bfc:$str_b3: GetDirectListeningPort
                        • 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                        • 0x65728:$str_b7: \update.vbs
                        • 0x64ba4:$str_b9: Downloaded file:
                        • 0x64b90:$str_b10: Downloading file:
                        • 0x64c34:$str_b12: Failed to upload file:
                        • 0x65bc4:$str_b13: StartForward
                        • 0x65be4:$str_b14: StopForward
                        • 0x65680:$str_b15: fso.DeleteFile "
                        • 0x65614:$str_b16: On Error Resume Next
                        • 0x656b0:$str_b17: fso.DeleteFolder "
                        • 0x64c24:$str_b18: Uploaded file:
                        • 0x64be4:$str_b19: Unable to delete:
                        • 0x65648:$str_b20: while fso.FileExists("
                        • 0x650c1:$str_c0: [Firefox StoredLogins not found]
                        Click to see the 7 entries

                        Sigma Signatures

                        Stealing of Sensitive Information

                        barindex
                        Sigma detected: Remcos
                        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\ZZ.exe, ProcessId: 7656, TargetFilename: C:\ProgramData\remcos\logs.dat

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-09-25T14:37:30.090767+020020365941Malware Command and Control Activity Detected192.168.2.849820154.216.19.2226509TCP
                        2024-09-25T14:37:35.700766+020020365941Malware Command and Control Activity Detected192.168.2.849705154.216.19.2226509TCP
                        2024-09-25T14:37:37.446598+020020365941Malware Command and Control Activity Detected192.168.2.849706154.216.19.2225532TCP
                        2024-09-25T14:37:40.256733+020020365941Malware Command and Control Activity Detected192.168.2.849707154.216.19.2226509TCP
                        2024-09-25T14:37:42.104958+020020365941Malware Command and Control Activity Detected192.168.2.849708154.216.19.2225532TCP
                        2024-09-25T14:37:44.843466+020020365941Malware Command and Control Activity Detected192.168.2.849709154.216.19.2226509TCP
                        2024-09-25T14:37:46.546023+020020365941Malware Command and Control Activity Detected192.168.2.849710154.216.19.2225532TCP
                        2024-09-25T14:37:49.823076+020020365941Malware Command and Control Activity Detected192.168.2.849711154.216.19.2226509TCP
                        2024-09-25T14:37:51.593474+020020365941Malware Command and Control Activity Detected192.168.2.849712154.216.19.2225532TCP
                        2024-09-25T14:37:54.311523+020020365941Malware Command and Control Activity Detected192.168.2.849715154.216.19.2226509TCP
                        2024-09-25T14:37:56.008983+020020365941Malware Command and Control Activity Detected192.168.2.849716154.216.19.2225532TCP
                        2024-09-25T14:37:58.714616+020020365941Malware Command and Control Activity Detected192.168.2.849717154.216.19.2226509TCP
                        2024-09-25T14:38:00.417329+020020365941Malware Command and Control Activity Detected192.168.2.849718154.216.19.2225532TCP
                        2024-09-25T14:38:03.172157+020020365941Malware Command and Control Activity Detected192.168.2.849719154.216.19.2226509TCP
                        2024-09-25T14:38:04.913277+020020365941Malware Command and Control Activity Detected192.168.2.849720154.216.19.2225532TCP
                        2024-09-25T14:38:07.719195+020020365941Malware Command and Control Activity Detected192.168.2.849721154.216.19.2226509TCP
                        2024-09-25T14:38:09.434060+020020365941Malware Command and Control Activity Detected192.168.2.849722154.216.19.2225532TCP
                        2024-09-25T14:38:12.151181+020020365941Malware Command and Control Activity Detected192.168.2.849723154.216.19.2226509TCP
                        2024-09-25T14:38:13.856872+020020365941Malware Command and Control Activity Detected192.168.2.849724154.216.19.2225532TCP
                        2024-09-25T14:38:16.577929+020020365941Malware Command and Control Activity Detected192.168.2.849725154.216.19.2226509TCP
                        2024-09-25T14:38:18.277945+020020365941Malware Command and Control Activity Detected192.168.2.849726154.216.19.2225532TCP
                        2024-09-25T14:38:20.997465+020020365941Malware Command and Control Activity Detected192.168.2.849727154.216.19.2226509TCP
                        2024-09-25T14:38:23.400018+020020365941Malware Command and Control Activity Detected192.168.2.849728154.216.19.2225532TCP
                        2024-09-25T14:38:26.106705+020020365941Malware Command and Control Activity Detected192.168.2.849729154.216.19.2226509TCP
                        2024-09-25T14:38:27.823131+020020365941Malware Command and Control Activity Detected192.168.2.849730154.216.19.2225532TCP
                        2024-09-25T14:38:30.525028+020020365941Malware Command and Control Activity Detected192.168.2.849731154.216.19.2226509TCP
                        2024-09-25T14:38:32.213016+020020365941Malware Command and Control Activity Detected192.168.2.849733154.216.19.2225532TCP
                        2024-09-25T14:38:34.957764+020020365941Malware Command and Control Activity Detected192.168.2.849734154.216.19.2226509TCP
                        2024-09-25T14:38:36.717852+020020365941Malware Command and Control Activity Detected192.168.2.849735154.216.19.2225532TCP
                        2024-09-25T14:38:39.454007+020020365941Malware Command and Control Activity Detected192.168.2.849736154.216.19.2226509TCP
                        2024-09-25T14:38:41.397519+020020365941Malware Command and Control Activity Detected192.168.2.849737154.216.19.2225532TCP
                        2024-09-25T14:38:44.135373+020020365941Malware Command and Control Activity Detected192.168.2.849738154.216.19.2226509TCP
                        2024-09-25T14:38:45.879367+020020365941Malware Command and Control Activity Detected192.168.2.849739154.216.19.2225532TCP
                        2024-09-25T14:38:48.701433+020020365941Malware Command and Control Activity Detected192.168.2.849740154.216.19.2226509TCP
                        2024-09-25T14:38:50.514126+020020365941Malware Command and Control Activity Detected192.168.2.849741154.216.19.2225532TCP
                        2024-09-25T14:38:53.466019+020020365941Malware Command and Control Activity Detected192.168.2.849742154.216.19.2226509TCP
                        2024-09-25T14:38:55.187382+020020365941Malware Command and Control Activity Detected192.168.2.849743154.216.19.2225532TCP
                        2024-09-25T14:38:57.919489+020020365941Malware Command and Control Activity Detected192.168.2.849744154.216.19.2226509TCP
                        2024-09-25T14:38:59.627590+020020365941Malware Command and Control Activity Detected192.168.2.849745154.216.19.2225532TCP
                        2024-09-25T14:39:02.359046+020020365941Malware Command and Control Activity Detected192.168.2.849746154.216.19.2226509TCP
                        2024-09-25T14:39:04.102048+020020365941Malware Command and Control Activity Detected192.168.2.849747154.216.19.2225532TCP
                        2024-09-25T14:39:06.825726+020020365941Malware Command and Control Activity Detected192.168.2.849748154.216.19.2226509TCP
                        2024-09-25T14:39:08.528881+020020365941Malware Command and Control Activity Detected192.168.2.849749154.216.19.2225532TCP
                        2024-09-25T14:39:11.345553+020020365941Malware Command and Control Activity Detected192.168.2.849750154.216.19.2226509TCP
                        2024-09-25T14:39:13.121428+020020365941Malware Command and Control Activity Detected192.168.2.849751154.216.19.2225532TCP
                        2024-09-25T14:39:16.059479+020020365941Malware Command and Control Activity Detected192.168.2.849752154.216.19.2226509TCP
                        2024-09-25T14:39:17.777731+020020365941Malware Command and Control Activity Detected192.168.2.849753154.216.19.2225532TCP
                        2024-09-25T14:39:20.480516+020020365941Malware Command and Control Activity Detected192.168.2.849754154.216.19.2226509TCP
                        2024-09-25T14:39:22.168287+020020365941Malware Command and Control Activity Detected192.168.2.849755154.216.19.2225532TCP
                        2024-09-25T14:39:24.908245+020020365941Malware Command and Control Activity Detected192.168.2.849756154.216.19.2226509TCP
                        2024-09-25T14:39:26.640659+020020365941Malware Command and Control Activity Detected192.168.2.849757154.216.19.2225532TCP
                        2024-09-25T14:39:29.402444+020020365941Malware Command and Control Activity Detected192.168.2.849758154.216.19.2226509TCP
                        2024-09-25T14:39:31.131682+020020365941Malware Command and Control Activity Detected192.168.2.849759154.216.19.2225532TCP
                        2024-09-25T14:39:33.863659+020020365941Malware Command and Control Activity Detected192.168.2.849760154.216.19.2226509TCP
                        2024-09-25T14:39:35.642261+020020365941Malware Command and Control Activity Detected192.168.2.849761154.216.19.2225532TCP
                        2024-09-25T14:39:38.506143+020020365941Malware Command and Control Activity Detected192.168.2.849762154.216.19.2226509TCP
                        2024-09-25T14:39:40.317132+020020365941Malware Command and Control Activity Detected192.168.2.849763154.216.19.2225532TCP
                        2024-09-25T14:39:43.152188+020020365941Malware Command and Control Activity Detected192.168.2.849764154.216.19.2226509TCP
                        2024-09-25T14:39:45.109862+020020365941Malware Command and Control Activity Detected192.168.2.849765154.216.19.2225532TCP
                        2024-09-25T14:39:47.877925+020020365941Malware Command and Control Activity Detected192.168.2.849766154.216.19.2226509TCP
                        2024-09-25T14:39:49.610799+020020365941Malware Command and Control Activity Detected192.168.2.849767154.216.19.2225532TCP
                        2024-09-25T14:39:52.383770+020020365941Malware Command and Control Activity Detected192.168.2.849768154.216.19.2226509TCP
                        2024-09-25T14:39:54.193557+020020365941Malware Command and Control Activity Detected192.168.2.849769154.216.19.2225532TCP
                        2024-09-25T14:39:56.983979+020020365941Malware Command and Control Activity Detected192.168.2.849770154.216.19.2226509TCP
                        2024-09-25T14:39:58.703767+020020365941Malware Command and Control Activity Detected192.168.2.849771154.216.19.2225532TCP
                        2024-09-25T14:40:01.423852+020020365941Malware Command and Control Activity Detected192.168.2.849772154.216.19.2226509TCP
                        2024-09-25T14:40:03.126337+020020365941Malware Command and Control Activity Detected192.168.2.849773154.216.19.2225532TCP
                        2024-09-25T14:40:05.810649+020020365941Malware Command and Control Activity Detected192.168.2.849774154.216.19.2226509TCP
                        2024-09-25T14:40:07.534173+020020365941Malware Command and Control Activity Detected192.168.2.849775154.216.19.2225532TCP
                        2024-09-25T14:40:10.168573+020020365941Malware Command and Control Activity Detected192.168.2.849776154.216.19.2226509TCP
                        2024-09-25T14:40:11.876582+020020365941Malware Command and Control Activity Detected192.168.2.849777154.216.19.2225532TCP
                        2024-09-25T14:40:14.888831+020020365941Malware Command and Control Activity Detected192.168.2.849778154.216.19.2226509TCP
                        2024-09-25T14:40:16.595920+020020365941Malware Command and Control Activity Detected192.168.2.849779154.216.19.2225532TCP
                        2024-09-25T14:40:19.185031+020020365941Malware Command and Control Activity Detected192.168.2.849780154.216.19.2226509TCP
                        2024-09-25T14:40:21.747029+020020365941Malware Command and Control Activity Detected192.168.2.849781154.216.19.2225532TCP
                        2024-09-25T14:40:24.320063+020020365941Malware Command and Control Activity Detected192.168.2.849782154.216.19.2226509TCP
                        2024-09-25T14:40:26.013507+020020365941Malware Command and Control Activity Detected192.168.2.849783154.216.19.2225532TCP
                        2024-09-25T14:40:28.549224+020020365941Malware Command and Control Activity Detected192.168.2.849784154.216.19.2226509TCP
                        2024-09-25T14:40:30.254000+020020365941Malware Command and Control Activity Detected192.168.2.849785154.216.19.2225532TCP
                        2024-09-25T14:40:33.125378+020020365941Malware Command and Control Activity Detected192.168.2.849786154.216.19.2226509TCP
                        2024-09-25T14:40:34.939686+020020365941Malware Command and Control Activity Detected192.168.2.849787154.216.19.2225532TCP
                        2024-09-25T14:40:37.422095+020020365941Malware Command and Control Activity Detected192.168.2.849788154.216.19.2226509TCP
                        2024-09-25T14:40:39.210118+020020365941Malware Command and Control Activity Detected192.168.2.849789154.216.19.2225532TCP
                        2024-09-25T14:40:41.700032+020020365941Malware Command and Control Activity Detected192.168.2.849790154.216.19.2226509TCP
                        2024-09-25T14:40:43.450834+020020365941Malware Command and Control Activity Detected192.168.2.849791154.216.19.2225532TCP
                        2024-09-25T14:40:45.986253+020020365941Malware Command and Control Activity Detected192.168.2.849792154.216.19.2226509TCP
                        2024-09-25T14:40:47.758962+020020365941Malware Command and Control Activity Detected192.168.2.849793154.216.19.2225532TCP
                        2024-09-25T14:40:50.197816+020020365941Malware Command and Control Activity Detected192.168.2.849794154.216.19.2226509TCP
                        2024-09-25T14:40:51.937681+020020365941Malware Command and Control Activity Detected192.168.2.849795154.216.19.2225532TCP
                        2024-09-25T14:40:54.391152+020020365941Malware Command and Control Activity Detected192.168.2.849796154.216.19.2226509TCP
                        2024-09-25T14:40:56.120319+020020365941Malware Command and Control Activity Detected192.168.2.849797154.216.19.2225532TCP
                        2024-09-25T14:40:58.488251+020020365941Malware Command and Control Activity Detected192.168.2.849798154.216.19.2226509TCP
                        2024-09-25T14:41:00.223435+020020365941Malware Command and Control Activity Detected192.168.2.849799154.216.19.2225532TCP
                        2024-09-25T14:41:02.594227+020020365941Malware Command and Control Activity Detected192.168.2.849800154.216.19.2226509TCP
                        2024-09-25T14:41:04.296174+020020365941Malware Command and Control Activity Detected192.168.2.849801154.216.19.2225532TCP
                        2024-09-25T14:41:06.609806+020020365941Malware Command and Control Activity Detected192.168.2.849802154.216.19.2226509TCP
                        2024-09-25T14:41:08.344198+020020365941Malware Command and Control Activity Detected192.168.2.849803154.216.19.2225532TCP
                        2024-09-25T14:41:10.653667+020020365941Malware Command and Control Activity Detected192.168.2.849804154.216.19.2226509TCP
                        2024-09-25T14:41:12.344220+020020365941Malware Command and Control Activity Detected192.168.2.849805154.216.19.2225532TCP
                        2024-09-25T14:41:14.624144+020020365941Malware Command and Control Activity Detected192.168.2.849806154.216.19.2226509TCP
                        2024-09-25T14:41:16.346596+020020365941Malware Command and Control Activity Detected192.168.2.849807154.216.19.2225532TCP
                        2024-09-25T14:41:18.596264+020020365941Malware Command and Control Activity Detected192.168.2.849808154.216.19.2226509TCP
                        2024-09-25T14:41:20.296231+020020365941Malware Command and Control Activity Detected192.168.2.849809154.216.19.2225532TCP
                        2024-09-25T14:41:22.516254+020020365941Malware Command and Control Activity Detected192.168.2.849810154.216.19.2226509TCP
                        2024-09-25T14:41:24.272251+020020365941Malware Command and Control Activity Detected192.168.2.849811154.216.19.2225532TCP
                        2024-09-25T14:41:26.547682+020020365941Malware Command and Control Activity Detected192.168.2.849812154.216.19.2226509TCP
                        2024-09-25T14:41:28.250229+020020365941Malware Command and Control Activity Detected192.168.2.849813154.216.19.2225532TCP
                        2024-09-25T14:41:30.455144+020020365941Malware Command and Control Activity Detected192.168.2.849814154.216.19.2226509TCP
                        2024-09-25T14:41:32.210499+020020365941Malware Command and Control Activity Detected192.168.2.849815154.216.19.2225532TCP
                        2024-09-25T14:41:34.412287+020020365941Malware Command and Control Activity Detected192.168.2.849816154.216.19.2226509TCP
                        2024-09-25T14:41:36.143478+020020365941Malware Command and Control Activity Detected192.168.2.849817154.216.19.2225532TCP
                        2024-09-25T14:41:38.343246+020020365941Malware Command and Control Activity Detected192.168.2.849818154.216.19.2226509TCP
                        2024-09-25T14:41:40.079106+020020365941Malware Command and Control Activity Detected192.168.2.849819154.216.19.2225532TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: ZZ.exeAvira: detected
                        Antivirus detection for URL or domain
                        Source: sungito2.ddns.netAvira URL Cloud: Label: malware
                        Found malware configuration
                        Source: 00000000.00000002.3857847409.00000000006BE000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "sungito2.ddns.net:6509:1154.216.19.222:5532:1", "Assigned name": "SEPT 4", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-EIENFE", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                        Multi AV Scanner detection for submitted file
                        Source: ZZ.exeReversingLabs: Detection: 84%
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: ZZ.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.ZZ.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.ZZ.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.3857926378.000000000224F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1396938464.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.3857847409.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: ZZ.exe PID: 7656, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                        Machine Learning detection for sample
                        Source: ZZ.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_004338C8
                        Source: ZZ.exe, 00000000.00000000.1396938464.0000000000459000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_b9c0abc7-2

                        Exploits

                        barindex
                        Yara detected UAC Bypass using CMSTP
                        Source: Yara matchFile source: ZZ.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.ZZ.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.ZZ.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.1396938464.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: ZZ.exe PID: 7656, type: MEMORYSTR

                        Privilege Escalation

                        barindex
                        Contains functionality to bypass UAC (CMSTPLUA)
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_00407538 _wcslen,CoGetObject,0_2_00407538
                        Source: ZZ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_0040928E
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0041C322
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0040C388
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_004096A0
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_00408847
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_00407877 FindFirstFileW,FindNextFileW,0_2_00407877
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0044E8F9 FindFirstFileExA,0_2_0044E8F9
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040BB6B
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419B86
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040BD72
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407CD2

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49705 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49709 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49707 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49711 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49710 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49715 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49719 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49725 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49708 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49717 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49728 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49721 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49734 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49751 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49746 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49737 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49748 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49755 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49754 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49766 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49745 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49733 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49774 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49786 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49760 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49738 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49736 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49780 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49716 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49752 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49802 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49720 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49791 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49757 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49787 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49816 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49749 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49739 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49731 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49762 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49759 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49758 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49764 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49806 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49761 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49777 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49743 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49784 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49770 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49809 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49819 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49813 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49735 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49796 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49794 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49790 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49763 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49798 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49801 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49805 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49815 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49814 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49811 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49808 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49706 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49750 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49744 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49817 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49747 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49782 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49767 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49768 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49788 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49773 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49789 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49776 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49793 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49797 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49753 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49818 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49769 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49724 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49729 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49804 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49718 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49722 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49730 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49775 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49803 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49810 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49740 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49778 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49772 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49779 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49781 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49795 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49742 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49756 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49812 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49726 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49712 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49727 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49723 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49765 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49783 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49785 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49799 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49792 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49741 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49771 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49800 -> 154.216.19.222:6509
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49807 -> 154.216.19.222:5532
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49820 -> 154.216.19.222:6509
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: sungito2.ddns.net
                        Connects to many ports of the same IP (likely port scanning)
                        Source: global trafficTCP traffic: 154.216.19.222 ports 5532,0,6509,5,6,9
                        Uses dynamic DNS services
                        Source: unknownDNS query: name: sungito2.ddns.net
                        Source: global trafficTCP traffic: 192.168.2.8:49705 -> 154.216.19.222:6509
                        Source: Joe Sandbox ViewIP Address: 154.216.19.222 154.216.19.222
                        Source: Joe Sandbox ViewASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_00426D42 recv,0_2_00426D42
                        Source: global trafficDNS traffic detected: DNS query: sungito2.ddns.net
                        Source: ZZ.exeString found in binary or memory: http://geoplugin.net/json.gp
                        Source: ZZ.exeString found in binary or memory: http://geoplugin.net/json.gp/C

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Contains functionality to register a low level keyboard hook
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,000000000_2_0040A2F3
                        Installs a global keyboard hook
                        Source: C:\Users\user\Desktop\ZZ.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\ZZ.exeJump to behavior
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B749
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004168FC
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B749
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,0_2_0040A41B
                        Source: Yara matchFile source: ZZ.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.ZZ.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.ZZ.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.1396938464.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: ZZ.exe PID: 7656, type: MEMORYSTR

                        E-Banking Fraud

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: ZZ.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.ZZ.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.ZZ.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.3857926378.000000000224F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1396938464.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.3857847409.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: ZZ.exe PID: 7656, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                        Spam, unwanted Advertisements and Ransom Demands

                        barindex
                        Contains functionalty to change the wallpaper
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0041CA73 SystemParametersInfoW,0_2_0041CA73

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: ZZ.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: ZZ.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: ZZ.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 0.2.ZZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 0.2.ZZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 0.2.ZZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 0.0.ZZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 0.0.ZZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 0.0.ZZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 00000000.00000000.1396938464.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: Process Memory Space: ZZ.exe PID: 7656, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: C:\Users\user\Desktop\ZZ.exeProcess Stats: CPU usage > 49%
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,0_2_0041330D
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle,0_2_0041BBC6
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle,0_2_0041BB9A
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_004167EF
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0043706A0_2_0043706A
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_004140050_2_00414005
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0043E11C0_2_0043E11C
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_004541D90_2_004541D9
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_004381E80_2_004381E8
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0041F18B0_2_0041F18B
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_004462700_2_00446270
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0043E34B0_2_0043E34B
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_004533AB0_2_004533AB
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0042742E0_2_0042742E
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_004375660_2_00437566
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0043E5A80_2_0043E5A8
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_004387F00_2_004387F0
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0043797E0_2_0043797E
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_004339D70_2_004339D7
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0044DA490_2_0044DA49
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_00427AD70_2_00427AD7
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0041DBF30_2_0041DBF3
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_00427C400_2_00427C40
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_00437DB30_2_00437DB3
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_00435EEB0_2_00435EEB
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0043DEED0_2_0043DEED
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_00426E9F0_2_00426E9F
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: String function: 00402093 appears 50 times
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: String function: 00401E65 appears 35 times
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: String function: 00434E70 appears 54 times
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: String function: 00434801 appears 42 times
                        Source: ZZ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: ZZ.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: ZZ.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: ZZ.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 0.2.ZZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 0.2.ZZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 0.2.ZZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 0.0.ZZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 0.0.ZZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 0.0.ZZ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 00000000.00000000.1396938464.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: Process Memory Space: ZZ.exe PID: 7656, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@1/1@4/1
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_0041798D
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_0040F4AF
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource,0_2_0041B539
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AADB
                        Source: C:\Users\user\Desktop\ZZ.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-EIENFE
                        Source: C:\Users\user\Desktop\ZZ.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\ZZ.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\ZZ.exeCommand line argument: Software\0_2_0040EA00
                        Source: C:\Users\user\Desktop\ZZ.exeCommand line argument: Rmc-EIENFE0_2_0040EA00
                        Source: C:\Users\user\Desktop\ZZ.exeCommand line argument: Exe0_2_0040EA00
                        Source: C:\Users\user\Desktop\ZZ.exeCommand line argument: Exe0_2_0040EA00
                        Source: C:\Users\user\Desktop\ZZ.exeCommand line argument: Rmc-EIENFE0_2_0040EA00
                        Source: C:\Users\user\Desktop\ZZ.exeCommand line argument: ,aF0_2_0040EA00
                        Source: C:\Users\user\Desktop\ZZ.exeCommand line argument: Inj0_2_0040EA00
                        Source: C:\Users\user\Desktop\ZZ.exeCommand line argument: Inj0_2_0040EA00
                        Source: C:\Users\user\Desktop\ZZ.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\ZZ.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\ZZ.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\ZZ.exeCommand line argument: `#l0_2_0040EA00
                        Source: C:\Users\user\Desktop\ZZ.exeCommand line argument: exepath0_2_0040EA00
                        Source: C:\Users\user\Desktop\ZZ.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\ZZ.exeCommand line argument: ,aF0_2_0040EA00
                        Source: C:\Users\user\Desktop\ZZ.exeCommand line argument: `#l0_2_0040EA00
                        Source: C:\Users\user\Desktop\ZZ.exeCommand line argument: exepath0_2_0040EA00
                        Source: C:\Users\user\Desktop\ZZ.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\ZZ.exeCommand line argument: licence0_2_0040EA00
                        Source: C:\Users\user\Desktop\ZZ.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\ZZ.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\ZZ.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\ZZ.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\ZZ.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\ZZ.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\ZZ.exeCommand line argument: dMG0_2_0040EA00
                        Source: C:\Users\user\Desktop\ZZ.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\ZZ.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\ZZ.exeCommand line argument: PSG0_2_0040EA00
                        Source: C:\Users\user\Desktop\ZZ.exeCommand line argument: Administrator0_2_0040EA00
                        Source: C:\Users\user\Desktop\ZZ.exeCommand line argument: User0_2_0040EA00
                        Source: C:\Users\user\Desktop\ZZ.exeCommand line argument: del0_2_0040EA00
                        Source: C:\Users\user\Desktop\ZZ.exeCommand line argument: del0_2_0040EA00
                        Source: C:\Users\user\Desktop\ZZ.exeCommand line argument: del0_2_0040EA00
                        Source: ZZ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\ZZ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: ZZ.exeReversingLabs: Detection: 84%
                        Source: C:\Users\user\Desktop\ZZ.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZZ.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZZ.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZZ.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZZ.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZZ.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZZ.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZZ.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZZ.exeSection loaded: rstrtmgr.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZZ.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZZ.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZZ.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZZ.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZZ.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZZ.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZZ.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZZ.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZZ.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\ZZ.exeSection loaded: cryptbase.dllJump to behavior
                        Source: ZZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                        Source: ZZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                        Source: ZZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                        Source: ZZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: ZZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                        Source: ZZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                        Source: ZZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: ZZ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                        Source: ZZ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                        Source: ZZ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                        Source: ZZ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                        Source: ZZ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CBE1
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_00457186 push ecx; ret 0_2_00457199
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_00457AA8 push eax; ret 0_2_00457AC6
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_00434EB6 push ecx; ret 0_2_00434EC9
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_00406EEB ShellExecuteW,URLDownloadToFileW,0_2_00406EEB
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AADB
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CBE1
                        Source: C:\Users\user\Desktop\ZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Delayed program exit found
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0040F7E2 Sleep,ExitProcess,0_2_0040F7E2
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_0041A7D9
                        Source: C:\Users\user\Desktop\ZZ.exeWindow / User API: threadDelayed 6358Jump to behavior
                        Source: C:\Users\user\Desktop\ZZ.exeWindow / User API: threadDelayed 3101Jump to behavior
                        Source: C:\Users\user\Desktop\ZZ.exeWindow / User API: foregroundWindowGot 1774Jump to behavior
                        Source: C:\Users\user\Desktop\ZZ.exe TID: 7700Thread sleep count: 237 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\ZZ.exe TID: 7700Thread sleep time: -118500s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ZZ.exe TID: 7712Thread sleep count: 6358 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\ZZ.exe TID: 7712Thread sleep time: -19074000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ZZ.exe TID: 7712Thread sleep count: 3101 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\ZZ.exe TID: 7712Thread sleep time: -9303000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_0040928E
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0041C322
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0040C388
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_004096A0
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_00408847
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_00407877 FindFirstFileW,FindNextFileW,0_2_00407877
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0044E8F9 FindFirstFileExA,0_2_0044E8F9
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040BB6B
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419B86
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040BD72
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407CD2
                        Source: ZZ.exe, 00000000.00000002.3857847409.00000000006BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>
                        Source: C:\Users\user\Desktop\ZZ.exeAPI call chain: ExitProcess graph end nodegraph_0-48696
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00434A8A
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CBE1
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_00443355 mov eax, dword ptr fs:[00000030h]0_2_00443355
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_004120B2 GetProcessHeap,HeapFree,0_2_004120B2
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0043503C
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00434A8A
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043BB71
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_00434BD8 SetUnhandledExceptionFilter,0_2_00434BD8
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe0_2_00412132
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_00419662 mouse_event,0_2_00419662
                        Source: ZZ.exe, 00000000.00000002.3857847409.00000000006BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerFE\
                        Source: ZZ.exe, 00000000.00000002.3857847409.00000000006BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerFE\;*
                        Source: ZZ.exe, 00000000.00000002.3857847409.00000000006BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                        Source: ZZ.exe, 00000000.00000002.3857847409.00000000006BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerFE\U*(
                        Source: ZZ.exe, 00000000.00000002.3857847409.00000000006BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerFE\^*#
                        Source: ZZ.exe, 00000000.00000002.3857847409.00000000006BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerFE\[
                        Source: ZZ.exe, 00000000.00000002.3857847409.00000000006BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerFE\8
                        Source: ZZ.exe, 00000000.00000002.3857847409.00000000006BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerFE\~
                        Source: ZZ.exe, 00000000.00000002.3857847409.00000000006BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerFE\)*
                        Source: ZZ.exe, 00000000.00000002.3857847409.00000000006BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerFE\G
                        Source: ZZ.exe, 00000000.00000002.3857847409.00000000006BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerFE\2*
                        Source: ZZ.exe, 00000000.00000002.3857847409.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, logs.dat.0.drBinary or memory string: [Program Manager]
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_00434CB6 cpuid 0_2_00434CB6
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: EnumSystemLocalesW,0_2_0045201B
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: EnumSystemLocalesW,0_2_004520B6
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00452143
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: GetLocaleInfoW,0_2_00452393
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: EnumSystemLocalesW,0_2_00448484
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004524BC
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: GetLocaleInfoW,0_2_004525C3
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00452690
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: GetLocaleInfoW,0_2_0044896D
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: GetLocaleInfoA,0_2_0040F90C
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00451D58
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: EnumSystemLocalesW,0_2_00451FD0
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_00404F51 GetLocalTime,CreateEventA,CreateThread,0_2_00404F51
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_0041B69E GetComputerNameExW,GetUserNameW,0_2_0041B69E
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: 0_2_00449210 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_00449210
                        Source: C:\Users\user\Desktop\ZZ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: ZZ.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.ZZ.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.ZZ.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.3857926378.000000000224F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1396938464.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.3857847409.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: ZZ.exe PID: 7656, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        Contains functionality to steal Chrome passwords or cookies
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_0040BA4D
                        Contains functionality to steal Firefox passwords or cookies
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_0040BB6B
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: \key3.db0_2_0040BB6B

                        Remote Access Functionality

                        barindex
                        Detected Remcos RAT
                        Source: C:\Users\user\Desktop\ZZ.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-EIENFEJump to behavior
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: ZZ.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.ZZ.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.ZZ.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.3857926378.000000000224F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1396938464.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.3857847409.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: ZZ.exe PID: 7656, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        Source: C:\Users\user\Desktop\ZZ.exeCode function: cmd.exe0_2_0040569A

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                        Native API                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		1
                        Deobfuscate/Decode Files or Information                        		1
                        OS Credential Dumping                        		2
                        System Time Discovery                        		Remote Services11
                        Archive Collected Data                        		11
                        Ingress Tool Transfer                        		Exfiltration Over Other Network Medium1
                        System Shutdown/Reboot
                        CredentialsDomainsDefault Accounts12
                        Command and Scripting Interpreter                        		1
                        Windows Service                        		1
                        Bypass User Account Control                        		2
                        Obfuscated Files or Information                        		211
                        Input Capture                        		1
                        Account Discovery                        		Remote Desktop Protocol211
                        Input Capture                        		2
                        Encrypted Channel                        		Exfiltration Over Bluetooth1
                        Defacement
                        Email AddressesDNS ServerDomain Accounts2
                        Service Execution                        		Logon Script (Windows)1
                        Access Token Manipulation                        		1
                        DLL Side-Loading                        		2
                        Credentials In Files                        		1
                        System Service Discovery                        		SMB/Windows Admin Shares3
                        Clipboard Data                        		1
                        Non-Standard Port                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                        Windows Service                        		1
                        Bypass User Account Control                        		NTDS2
                        File and Directory Discovery                        		Distributed Component Object ModelInput Capture1
                        Remote Access Software                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
                        Process Injection                        		1
                        Virtualization/Sandbox Evasion                        		LSA Secrets23
                        System Information Discovery                        		SSHKeylogging1
                        Non-Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        Access Token Manipulation                        		Cached Domain Credentials21
                        Security Software Discovery                        		VNCGUI Input Capture21
                        Application Layer Protocol                        		Data Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                        Process Injection                        		DCSync1
                        Virtualization/Sandbox Evasion                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem2
                        Process Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                        Application Window Discovery                        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                        System Owner/User Discovery                        		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        ZZ.exe84%ReversingLabsWin32.Trojan.Remcos
                        ZZ.exe100%AviraBDS/Backdoor.Gen
                        ZZ.exe100%Joe Sandbox ML

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://geoplugin.net/json.gp0%URL Reputationsafe
                        http://geoplugin.net/json.gp/C0%URL Reputationsafe
                        sungito2.ddns.net100%Avira URL Cloudmalware

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        sungito2.ddns.net
                        		154.216.19.222
                        		truetrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          sungito2.ddns.nettrue
                          • Avira URL Cloud: malware
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://geoplugin.net/json.gpZZ.exefalse
                          • URL Reputation: safe
                          		unknown
                          http://geoplugin.net/json.gp/CZZ.exefalse
                          • URL Reputation: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          154.216.19.222
                          		sungito2.ddns.netSeychelles
                          		135357SKHT-ASShenzhenKatherineHengTechnologyInformationCotrue

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1518239
                          Start date and time:2024-09-25 14:36:39 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 6m 26s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:8
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:ZZ.exe
                          Detection:MAL
                          Classification:mal100.rans.troj.spyw.expl.evad.winEXE@1/1@4/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 32
                          • Number of non-executed functions: 218
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Override analysis time to 240s for sample files taking high CPU consumption

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • VT rate limit hit for: ZZ.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          08:38:05API Interceptor7087730x Sleep call for process: ZZ.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          154.216.19.222SecuriteInfo.com.Win32.RATX-gen.7479.21659.exeGet hashmaliciousRemcosBrowse
                            thrylPXnvfySmGN.exeGet hashmaliciousRemcosBrowse
                              PRICE REQUEST RSM PQ24.docx.docGet hashmaliciousRemcosBrowse
                                SecuriteInfo.com.Exploit.CVE-2018-0798.4.21168.15147.rtfGet hashmaliciousRemcosBrowse
                                  SecuriteInfo.com.Win32.MalwareX-gen.1358.31487.exeGet hashmaliciousRemcosBrowse
                                    Order_2480500093314.exeGet hashmaliciousRemcos, PureLog StealerBrowse

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      sungito2.ddns.netSecuriteInfo.com.Win32.RATX-gen.7479.21659.exeGet hashmaliciousRemcosBrowse
                                      • 154.216.19.222
                                      thrylPXnvfySmGN.exeGet hashmaliciousRemcosBrowse
                                      • 154.216.19.222
                                      PRICE REQUEST RSM PQ24.docx.docGet hashmaliciousRemcosBrowse
                                      • 154.216.19.222
                                      SecuriteInfo.com.Exploit.CVE-2018-0798.4.21168.15147.rtfGet hashmaliciousRemcosBrowse
                                      • 154.216.19.222
                                      SecuriteInfo.com.Win32.MalwareX-gen.1358.31487.exeGet hashmaliciousRemcosBrowse
                                      • 154.216.19.222
                                      Order_2480500093314.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                      • 154.216.19.222

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      SKHT-ASShenzhenKatherineHengTechnologyInformationCohttps://estacionar-replonline.net/galicia/?fbclid=PAZXh0bgNhZW0BMAABpjGet hashmaliciousUnknownBrowse
                                      • 154.216.20.243
                                      SecuriteInfo.com.Win64.MalwareX-gen.2119.3372.exeGet hashmaliciousXWormBrowse
                                      • 154.216.17.202
                                      https://bpost-be.help/Get hashmaliciousUnknownBrowse
                                      • 154.216.20.4
                                      debug.dbg.elfGet hashmaliciousMirai, OkiruBrowse
                                      • 154.216.20.94
                                      zmap.arm.elfGet hashmaliciousMirai, OkiruBrowse
                                      • 154.216.18.230
                                      zmap.arm7.elfGet hashmaliciousMirai, OkiruBrowse
                                      • 154.216.18.230
                                      zmap.m68k.elfGet hashmaliciousMirai, OkiruBrowse
                                      • 154.216.18.230
                                      zmap.mips.elfGet hashmaliciousMirai, OkiruBrowse
                                      • 154.216.18.230
                                      zmap.mpsl.elfGet hashmaliciousMirai, OkiruBrowse
                                      • 154.216.18.230
                                      zmap.ppc.elfGet hashmaliciousMirai, OkiruBrowse
                                      • 154.216.18.230

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\ProgramData\remcos\logs.dat

                                      Download File
                                      Process:C:\Users\user\Desktop\ZZ.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):144
                                      Entropy (8bit):3.3968126123197595
                                      Encrypted:false
                                      SSDEEP:3:rhlKlRlmWlWfNClDl5JWRal2Jl+7R0DAlBG45klovDl6v:6l9l/b5YcIeeDAlOWAv
                                      MD5:BA7580BA86F3733B51D8E0C8BB775C70
                                      SHA1:78BA13EB5DD13C9F5EE2C090664C156BA0255CB5
                                      SHA-256:8B38C41260F83D79987BE4646E1F9190180211B40D27309172DA5E9B7147DE96
                                      SHA-512:FD5EE8AD9B7E8BE3151A2302DFD093CB8FE9E62B4F391A03041611926B5FC8B60F7731219D56BAB097FC12400E74EA84963201F677245198EE693204817E3E0D
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                      Reputation:low
                                      Preview:....[.2.0.2.4./.0.9./.2.5. .0.8.:.3.7.:.3.3. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):6.601444121062746
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:ZZ.exe
                                      File size:494'592 bytes
                                      MD5:aa4aca6b0973b169a4242718f04d9c54
                                      SHA1:79212a9e32d3ae5f1778605a43fcb6a63b9fccb1
                                      SHA256:2ff32c90e5a04d6a51e0360368daafe35396561f9687a27306f539ae0f354ade
                                      SHA512:a47637d9472a04fde60e2494ba05f0851bf6d4e7f9ede7d23c37c38d094a64b647c0c5ba5b946d44a6ee31d09b8b0d1fdf513c7ed981b0466f98197988da299a
                                      SSDEEP:6144:RTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZmAX4crxT4:RTlrYw1RUh3NFn+N5WfIQIjbs/ZmyT4
                                      TLSH:39B49E01BAD1C072D57514300D3AF776EAB8BD201835497B73EA1D5BFE31190A72AAB7
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.-H..~H..~H..~..'~[..~..%~...~..$~V..~AbR~I..~...~J..~.D..R..~.D..r..~.D..j..~AbE~Q..~H..~v..~.D..,..~.D)~I..~.D..I..~RichH..

                                      File Icon

                                      Icon Hash:95694d05214c1b33

                                      Static PE Info

                                      General

                                      Entrypoint:0x434a80
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:TERMINAL_SERVER_AWARE
                                      Time Stamp:0x66D71DE3 [Tue Sep 3 14:32:03 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:5
                                      OS Version Minor:1
                                      File Version Major:5
                                      File Version Minor:1
                                      Subsystem Version Major:5
                                      Subsystem Version Minor:1
                                      Import Hash:1389569a3a39186f3eb453b501cfe688

                                      Entrypoint Preview

                                      Instruction
                                      call 00007F0784E6591Bh
                                      jmp 00007F0784E65363h
                                      push ebp
                                      mov ebp, esp
                                      sub esp, 00000324h
                                      push ebx
                                      push esi
                                      push 00000017h
                                      call 00007F0784E87BB3h
                                      test eax, eax
                                      je 00007F0784E654D7h
                                      mov ecx, dword ptr [ebp+08h]
                                      int 29h
                                      xor esi, esi
                                      lea eax, dword ptr [ebp-00000324h]
                                      push 000002CCh
                                      push esi
                                      push eax
                                      mov dword ptr [00471D14h], esi
                                      call 00007F0784E67926h
                                      add esp, 0Ch
                                      mov dword ptr [ebp-00000274h], eax
                                      mov dword ptr [ebp-00000278h], ecx
                                      mov dword ptr [ebp-0000027Ch], edx
                                      mov dword ptr [ebp-00000280h], ebx
                                      mov dword ptr [ebp-00000284h], esi
                                      mov dword ptr [ebp-00000288h], edi
                                      mov word ptr [ebp-0000025Ch], ss
                                      mov word ptr [ebp-00000268h], cs
                                      mov word ptr [ebp-0000028Ch], ds
                                      mov word ptr [ebp-00000290h], es
                                      mov word ptr [ebp-00000294h], fs
                                      mov word ptr [ebp-00000298h], gs
                                      pushfd
                                      pop dword ptr [ebp-00000264h]
                                      mov eax, dword ptr [ebp+04h]
                                      mov dword ptr [ebp-0000026Ch], eax
                                      lea eax, dword ptr [ebp+04h]
                                      mov dword ptr [ebp-00000260h], eax
                                      mov dword ptr [ebp-00000324h], 00010001h
                                      mov eax, dword ptr [eax-04h]
                                      push 00000050h
                                      mov dword ptr [ebp-00000270h], eax
                                      lea eax, dword ptr [ebp-58h]
                                      push esi
                                      push eax
                                      call 00007F0784E6789Dh

                                      Rich Headers

                                      Programming Language:
                                      • [C++] VS2008 SP1 build 30729
                                      • [IMP] VS2008 SP1 build 30729

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x6eeb80x104.rdata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x790000x4b4c.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x7e0000x3bc8.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x6d3500x38.rdata
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x6d3e40x18.rdata
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6d3880x40.rdata
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x590000x500.rdata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x571f50x57200e504ab64b98631753dc227346d757c52False0.5716379348995696data6.6273936921798455IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rdata0x590000x179dc0x17a002a24a2cbf738bf5f992a0162fad3d464False0.5008577215608465data5.862074061245876IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .data0x710000x5d440xe000eaccffe1cb836994ce5d3ccfb22d4f9False0.22126116071428573data3.0035180736120775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .tls0x770000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .gfids0x780000x2300x4009ca325bce9f8c0342c0381814603584aFalse0.330078125data2.3999762503719224IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .rsrc0x790000x4b4c0x4c007165a9ac7d0504cedb9e16bfbe8c5f58False0.28335731907894735data3.982383286530854IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x7e0000x3bc80x3c00047d13d1dd0f82094cdf10f08253441eFalse0.7640625data6.723768218094163IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_ICON0x7918c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3421985815602837
                                      RT_ICON0x795f40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.27704918032786885
                                      RT_ICON0x79f7c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.23686679174484052
                                      RT_ICON0x7b0240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.22977178423236513
                                      RT_RCDATA0x7d5cc0x53edata1.0081967213114753
                                      RT_GROUP_ICON0x7db0c0x3edataEnglishUnited States0.8064516129032258

                                      Imports

                                      DLLImport
                                      KERNEL32.dllFindNextFileA, ExpandEnvironmentStringsA, GetLongPathNameW, CopyFileW, GetLocaleInfoA, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, OpenMutexA, lstrcatW, GetCurrentProcessId, GetTempFileNameW, UnmapViewOfFile, DuplicateHandle, CreateFileMappingW, MapViewOfFile, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, FindFirstFileA, FormatMessageA, FindNextVolumeW, AllocConsole, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, HeapReAlloc, GetACP, GetModuleHandleExW, MoveFileExW, RtlUnwind, RaiseException, LoadLibraryExW, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, GetFileSize, TerminateThread, GetLastError, CreateDirectoryW, GetModuleHandleA, RemoveDirectoryW, MoveFileW, SetFilePointerEx, GetLogicalDriveStringsA, DeleteFileW, DeleteFileA, SetFileAttributesW, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, GetModuleHandleW, ExitProcess, CreateMutexA, GetCurrentProcess, GetProcAddress, LoadLibraryA, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, SetConsoleOutputCP, InitializeCriticalSectionAndSpinCount, MultiByteToWideChar, DecodePointer, EncodePointer, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, WaitForSingleObjectEx, ResetEvent, SetEndOfFile
                                      USER32.dllGetMessageA, GetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, DispatchMessageA, SetForegroundWindow, SetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible, CloseWindow, SendInput, EnumDisplaySettingsW, mouse_event, CreatePopupMenu, TranslateMessage, TrackPopupMenu, DefWindowProcA, CreateWindowExA, AppendMenuA, GetSystemMetrics, RegisterClassExA, GetCursorPos, SystemParametersInfoW, GetWindowThreadProcessId, MapVirtualKeyA, DrawIcon, GetIconInfo
                                      GDI32.dllBitBlt, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteObject, CreateDCA, GetObjectA, DeleteDC
                                      ADVAPI32.dllCryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW, RegDeleteKeyA
                                      SHELL32.dllShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW
                                      ole32.dllCoInitializeEx, CoUninitialize, CoGetObject
                                      SHLWAPI.dllPathFileExistsW, PathFileExistsA, StrToIntA
                                      WINMM.dllwaveInOpen, waveInStart, waveInAddBuffer, PlaySoundW, mciSendStringA, mciSendStringW, waveInClose, waveInStop, waveInPrepareHeader, waveInUnprepareHeader
                                      WS2_32.dllgethostbyname, send, WSAStartup, closesocket, inet_ntoa, htons, htonl, getservbyname, ntohs, getservbyport, gethostbyaddr, inet_addr, WSASetLastError, WSAGetLastError, recv, connect, socket
                                      urlmon.dllURLOpenBlockingStreamW, URLDownloadToFileW
                                      gdiplus.dllGdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipAlloc, GdipCloneImage, GdipGetImageEncoders, GdiplusStartup, GdipLoadImageFromStream
                                      WININET.dllInternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2024-09-25T14:37:30.090767+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849820154.216.19.2226509TCP
                                      2024-09-25T14:37:35.700766+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849705154.216.19.2226509TCP
                                      2024-09-25T14:37:37.446598+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849706154.216.19.2225532TCP
                                      2024-09-25T14:37:40.256733+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849707154.216.19.2226509TCP
                                      2024-09-25T14:37:42.104958+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849708154.216.19.2225532TCP
                                      2024-09-25T14:37:44.843466+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849709154.216.19.2226509TCP
                                      2024-09-25T14:37:46.546023+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849710154.216.19.2225532TCP
                                      2024-09-25T14:37:49.823076+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849711154.216.19.2226509TCP
                                      2024-09-25T14:37:51.593474+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849712154.216.19.2225532TCP
                                      2024-09-25T14:37:54.311523+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849715154.216.19.2226509TCP
                                      2024-09-25T14:37:56.008983+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849716154.216.19.2225532TCP
                                      2024-09-25T14:37:58.714616+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849717154.216.19.2226509TCP
                                      2024-09-25T14:38:00.417329+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849718154.216.19.2225532TCP
                                      2024-09-25T14:38:03.172157+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849719154.216.19.2226509TCP
                                      2024-09-25T14:38:04.913277+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849720154.216.19.2225532TCP
                                      2024-09-25T14:38:07.719195+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849721154.216.19.2226509TCP
                                      2024-09-25T14:38:09.434060+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849722154.216.19.2225532TCP
                                      2024-09-25T14:38:12.151181+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849723154.216.19.2226509TCP
                                      2024-09-25T14:38:13.856872+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849724154.216.19.2225532TCP
                                      2024-09-25T14:38:16.577929+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849725154.216.19.2226509TCP
                                      2024-09-25T14:38:18.277945+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849726154.216.19.2225532TCP
                                      2024-09-25T14:38:20.997465+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849727154.216.19.2226509TCP
                                      2024-09-25T14:38:23.400018+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849728154.216.19.2225532TCP
                                      2024-09-25T14:38:26.106705+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849729154.216.19.2226509TCP
                                      2024-09-25T14:38:27.823131+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849730154.216.19.2225532TCP
                                      2024-09-25T14:38:30.525028+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849731154.216.19.2226509TCP
                                      2024-09-25T14:38:32.213016+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849733154.216.19.2225532TCP
                                      2024-09-25T14:38:34.957764+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849734154.216.19.2226509TCP
                                      2024-09-25T14:38:36.717852+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849735154.216.19.2225532TCP
                                      2024-09-25T14:38:39.454007+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849736154.216.19.2226509TCP
                                      2024-09-25T14:38:41.397519+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849737154.216.19.2225532TCP
                                      2024-09-25T14:38:44.135373+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849738154.216.19.2226509TCP
                                      2024-09-25T14:38:45.879367+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849739154.216.19.2225532TCP
                                      2024-09-25T14:38:48.701433+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849740154.216.19.2226509TCP
                                      2024-09-25T14:38:50.514126+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849741154.216.19.2225532TCP
                                      2024-09-25T14:38:53.466019+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849742154.216.19.2226509TCP
                                      2024-09-25T14:38:55.187382+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849743154.216.19.2225532TCP
                                      2024-09-25T14:38:57.919489+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849744154.216.19.2226509TCP
                                      2024-09-25T14:38:59.627590+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849745154.216.19.2225532TCP
                                      2024-09-25T14:39:02.359046+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849746154.216.19.2226509TCP
                                      2024-09-25T14:39:04.102048+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849747154.216.19.2225532TCP
                                      2024-09-25T14:39:06.825726+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849748154.216.19.2226509TCP
                                      2024-09-25T14:39:08.528881+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849749154.216.19.2225532TCP
                                      2024-09-25T14:39:11.345553+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849750154.216.19.2226509TCP
                                      2024-09-25T14:39:13.121428+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849751154.216.19.2225532TCP
                                      2024-09-25T14:39:16.059479+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849752154.216.19.2226509TCP
                                      2024-09-25T14:39:17.777731+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849753154.216.19.2225532TCP
                                      2024-09-25T14:39:20.480516+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849754154.216.19.2226509TCP
                                      2024-09-25T14:39:22.168287+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849755154.216.19.2225532TCP
                                      2024-09-25T14:39:24.908245+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849756154.216.19.2226509TCP
                                      2024-09-25T14:39:26.640659+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849757154.216.19.2225532TCP
                                      2024-09-25T14:39:29.402444+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849758154.216.19.2226509TCP
                                      2024-09-25T14:39:31.131682+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849759154.216.19.2225532TCP
                                      2024-09-25T14:39:33.863659+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849760154.216.19.2226509TCP
                                      2024-09-25T14:39:35.642261+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849761154.216.19.2225532TCP
                                      2024-09-25T14:39:38.506143+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849762154.216.19.2226509TCP
                                      2024-09-25T14:39:40.317132+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849763154.216.19.2225532TCP
                                      2024-09-25T14:39:43.152188+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849764154.216.19.2226509TCP
                                      2024-09-25T14:39:45.109862+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849765154.216.19.2225532TCP
                                      2024-09-25T14:39:47.877925+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849766154.216.19.2226509TCP
                                      2024-09-25T14:39:49.610799+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849767154.216.19.2225532TCP
                                      2024-09-25T14:39:52.383770+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849768154.216.19.2226509TCP
                                      2024-09-25T14:39:54.193557+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849769154.216.19.2225532TCP
                                      2024-09-25T14:39:56.983979+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849770154.216.19.2226509TCP
                                      2024-09-25T14:39:58.703767+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849771154.216.19.2225532TCP
                                      2024-09-25T14:40:01.423852+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849772154.216.19.2226509TCP
                                      2024-09-25T14:40:03.126337+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849773154.216.19.2225532TCP
                                      2024-09-25T14:40:05.810649+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849774154.216.19.2226509TCP
                                      2024-09-25T14:40:07.534173+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849775154.216.19.2225532TCP
                                      2024-09-25T14:40:10.168573+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849776154.216.19.2226509TCP
                                      2024-09-25T14:40:11.876582+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849777154.216.19.2225532TCP
                                      2024-09-25T14:40:14.888831+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849778154.216.19.2226509TCP
                                      2024-09-25T14:40:16.595920+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849779154.216.19.2225532TCP
                                      2024-09-25T14:40:19.185031+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849780154.216.19.2226509TCP
                                      2024-09-25T14:40:21.747029+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849781154.216.19.2225532TCP
                                      2024-09-25T14:40:24.320063+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849782154.216.19.2226509TCP
                                      2024-09-25T14:40:26.013507+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849783154.216.19.2225532TCP
                                      2024-09-25T14:40:28.549224+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849784154.216.19.2226509TCP
                                      2024-09-25T14:40:30.254000+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849785154.216.19.2225532TCP
                                      2024-09-25T14:40:33.125378+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849786154.216.19.2226509TCP
                                      2024-09-25T14:40:34.939686+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849787154.216.19.2225532TCP
                                      2024-09-25T14:40:37.422095+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849788154.216.19.2226509TCP
                                      2024-09-25T14:40:39.210118+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849789154.216.19.2225532TCP
                                      2024-09-25T14:40:41.700032+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849790154.216.19.2226509TCP
                                      2024-09-25T14:40:43.450834+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849791154.216.19.2225532TCP
                                      2024-09-25T14:40:45.986253+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849792154.216.19.2226509TCP
                                      2024-09-25T14:40:47.758962+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849793154.216.19.2225532TCP
                                      2024-09-25T14:40:50.197816+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849794154.216.19.2226509TCP
                                      2024-09-25T14:40:51.937681+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849795154.216.19.2225532TCP
                                      2024-09-25T14:40:54.391152+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849796154.216.19.2226509TCP
                                      2024-09-25T14:40:56.120319+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849797154.216.19.2225532TCP
                                      2024-09-25T14:40:58.488251+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849798154.216.19.2226509TCP
                                      2024-09-25T14:41:00.223435+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849799154.216.19.2225532TCP
                                      2024-09-25T14:41:02.594227+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849800154.216.19.2226509TCP
                                      2024-09-25T14:41:04.296174+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849801154.216.19.2225532TCP
                                      2024-09-25T14:41:06.609806+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849802154.216.19.2226509TCP
                                      2024-09-25T14:41:08.344198+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849803154.216.19.2225532TCP
                                      2024-09-25T14:41:10.653667+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849804154.216.19.2226509TCP
                                      2024-09-25T14:41:12.344220+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849805154.216.19.2225532TCP
                                      2024-09-25T14:41:14.624144+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849806154.216.19.2226509TCP
                                      2024-09-25T14:41:16.346596+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849807154.216.19.2225532TCP
                                      2024-09-25T14:41:18.596264+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849808154.216.19.2226509TCP
                                      2024-09-25T14:41:20.296231+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849809154.216.19.2225532TCP
                                      2024-09-25T14:41:22.516254+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849810154.216.19.2226509TCP
                                      2024-09-25T14:41:24.272251+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849811154.216.19.2225532TCP
                                      2024-09-25T14:41:26.547682+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849812154.216.19.2226509TCP
                                      2024-09-25T14:41:28.250229+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849813154.216.19.2225532TCP
                                      2024-09-25T14:41:30.455144+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849814154.216.19.2226509TCP
                                      2024-09-25T14:41:32.210499+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849815154.216.19.2225532TCP
                                      2024-09-25T14:41:34.412287+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849816154.216.19.2226509TCP
                                      2024-09-25T14:41:36.143478+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849817154.216.19.2225532TCP
                                      2024-09-25T14:41:38.343246+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849818154.216.19.2226509TCP
                                      2024-09-25T14:41:40.079106+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.849819154.216.19.2225532TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Sep 25, 2024 14:37:33.984647989 CEST497056509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:33.990233898 CEST650949705154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:33.990324974 CEST497056509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:33.995332956 CEST497056509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:34.000869036 CEST650949705154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:35.700659990 CEST650949705154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:35.700766087 CEST497056509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:35.741286993 CEST497056509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:35.741820097 CEST497065532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:35.746108055 CEST650949705154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:35.746581078 CEST553249706154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:35.746649027 CEST497065532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:35.764966011 CEST497065532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:35.769723892 CEST553249706154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:37.446476936 CEST553249706154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:37.446598053 CEST497065532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:37.446752071 CEST497065532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:37.451699972 CEST553249706154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:38.464355946 CEST497076509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:38.479125977 CEST650949707154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:38.479258060 CEST497076509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:38.534984112 CEST497076509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:38.541642904 CEST650949707154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:40.256654978 CEST650949707154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:40.256732941 CEST497076509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:40.256807089 CEST497076509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:40.257412910 CEST497085532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:40.278345108 CEST650949707154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:40.278389931 CEST553249708154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:40.278491020 CEST497085532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:40.282011032 CEST497085532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:40.354001999 CEST553249708154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:42.104690075 CEST553249708154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:42.104958057 CEST497085532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:42.105133057 CEST497085532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:42.119221926 CEST553249708154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:43.107445002 CEST497096509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:43.114258051 CEST650949709154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:43.114326000 CEST497096509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:43.117794991 CEST497096509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:43.122826099 CEST650949709154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:44.843381882 CEST650949709154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:44.843466043 CEST497096509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:44.843542099 CEST497096509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:44.844270945 CEST497105532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:44.848388910 CEST650949709154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:44.849021912 CEST553249710154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:44.849102974 CEST497105532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:44.852540016 CEST497105532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:44.857362032 CEST553249710154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:46.545937061 CEST553249710154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:46.546022892 CEST497105532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:46.546082020 CEST497105532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:46.551451921 CEST553249710154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:47.561043978 CEST497116509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:48.098778963 CEST650949711154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:48.098903894 CEST497116509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:48.102510929 CEST497116509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:48.141834974 CEST650949711154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:49.823010921 CEST650949711154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:49.823076010 CEST497116509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:49.823151112 CEST497116509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:49.827558041 CEST497125532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:49.850873947 CEST650949711154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:49.859071016 CEST553249712154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:49.859178066 CEST497125532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:49.878911972 CEST497125532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:49.904215097 CEST553249712154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:51.593352079 CEST553249712154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:51.593473911 CEST497125532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:51.593585968 CEST497125532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:51.598365068 CEST553249712154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:52.607738972 CEST497156509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:52.613877058 CEST650949715154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:52.613954067 CEST497156509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:52.617428064 CEST497156509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:52.622746944 CEST650949715154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:54.311470032 CEST650949715154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:54.311522961 CEST497156509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:54.312628984 CEST497165532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:54.314022064 CEST497156509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:54.317552090 CEST553249716154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:54.317688942 CEST497165532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:54.318878889 CEST650949715154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:54.321346045 CEST497165532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:54.327788115 CEST553249716154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:56.008889914 CEST553249716154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:56.008982897 CEST497165532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:56.009068012 CEST497165532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:56.013889074 CEST553249716154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:57.014323950 CEST497176509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:57.024161100 CEST650949717154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:57.024262905 CEST497176509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:57.027750015 CEST497176509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:57.037281990 CEST650949717154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:58.714561939 CEST650949717154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:58.714616060 CEST497176509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:58.714679003 CEST497176509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:58.718802929 CEST497185532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:58.719484091 CEST650949717154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:58.723676920 CEST553249718154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:37:58.723777056 CEST497185532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:58.738079071 CEST497185532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:37:58.742872000 CEST553249718154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:00.417171955 CEST553249718154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:00.417329073 CEST497185532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:00.417417049 CEST497185532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:00.422147036 CEST553249718154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:01.456954002 CEST497196509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:01.461844921 CEST650949719154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:01.461924076 CEST497196509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:01.468069077 CEST497196509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:01.472954988 CEST650949719154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:03.171947002 CEST650949719154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:03.172157049 CEST497196509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:03.172396898 CEST497196509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:03.172951937 CEST497205532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:03.178375006 CEST650949719154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:03.179013014 CEST553249720154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:03.179096937 CEST497205532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:03.182502985 CEST497205532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:03.189342976 CEST553249720154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:04.913191080 CEST553249720154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:04.913276911 CEST497205532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:04.913378954 CEST497205532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:04.918225050 CEST553249720154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:05.920423985 CEST497216509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:05.926409006 CEST650949721154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:05.926492929 CEST497216509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:05.929943085 CEST497216509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:05.936247110 CEST650949721154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:07.719106913 CEST650949721154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:07.719194889 CEST497216509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:07.719268084 CEST497216509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:07.719989061 CEST497225532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:07.724124908 CEST650949721154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:07.724797964 CEST553249722154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:07.724878073 CEST497225532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:07.728715897 CEST497225532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:07.734853983 CEST553249722154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:09.433898926 CEST553249722154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:09.434060097 CEST497225532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:09.434117079 CEST497225532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:09.441135883 CEST553249722154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:10.435933113 CEST497236509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:10.441252947 CEST650949723154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:10.441401958 CEST497236509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:10.444890022 CEST497236509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:10.449873924 CEST650949723154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:12.151089907 CEST650949723154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:12.151180983 CEST497236509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:12.151338100 CEST497236509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:12.151937008 CEST497245532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:12.157960892 CEST650949723154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:12.158351898 CEST553249724154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:12.158425093 CEST497245532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:12.162074089 CEST497245532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:12.169163942 CEST553249724154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:13.856755972 CEST553249724154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:13.856872082 CEST497245532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:13.857007027 CEST497245532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:13.861805916 CEST553249724154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:14.873411894 CEST497256509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:14.878216028 CEST650949725154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:14.878289938 CEST497256509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:14.881846905 CEST497256509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:14.886663914 CEST650949725154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:16.577685118 CEST650949725154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:16.577929020 CEST497256509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:16.578075886 CEST497256509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:16.578950882 CEST497265532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:16.584567070 CEST650949725154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:16.585015059 CEST553249726154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:16.585103989 CEST497265532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:16.588933945 CEST497265532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:16.594405890 CEST553249726154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:18.277813911 CEST553249726154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:18.277945042 CEST497265532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:18.278206110 CEST497265532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:18.284055948 CEST553249726154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:19.295341015 CEST497276509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:19.300658941 CEST650949727154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:19.300777912 CEST497276509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:19.304152966 CEST497276509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:19.309030056 CEST650949727154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:20.997411013 CEST650949727154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:20.997464895 CEST497276509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:20.997608900 CEST497276509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:20.998176098 CEST497285532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:21.003379107 CEST650949727154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:21.003855944 CEST553249728154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:21.003931046 CEST497285532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:21.007693052 CEST497285532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:21.017944098 CEST553249728154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:23.399918079 CEST553249728154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:23.400017977 CEST497285532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:23.400132895 CEST497285532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:23.400769949 CEST553249728154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:23.400815010 CEST497285532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:23.401568890 CEST553249728154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:23.401617050 CEST497285532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:23.622366905 CEST553249728154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:23.622457027 CEST497285532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:23.716121912 CEST497285532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:23.837938070 CEST553249728154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:23.840684891 CEST553249728154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:23.840744972 CEST497285532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:24.404526949 CEST497296509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:24.410023928 CEST650949729154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:24.410104036 CEST497296509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:24.413539886 CEST497296509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:24.419853926 CEST650949729154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:26.106540918 CEST650949729154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:26.106704950 CEST497296509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:26.106822968 CEST497296509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:26.107661963 CEST497305532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:26.111522913 CEST650949729154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:26.112638950 CEST553249730154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:26.112720013 CEST497305532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:26.116647959 CEST497305532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:26.121629953 CEST553249730154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:27.822879076 CEST553249730154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:27.823131084 CEST497305532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:27.823175907 CEST497305532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:27.828038931 CEST553249730154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:28.827039003 CEST497316509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:28.831904888 CEST650949731154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:28.832025051 CEST497316509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:28.835525990 CEST497316509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:28.845123053 CEST650949731154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:30.524806023 CEST650949731154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:30.525027990 CEST497316509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:30.525096893 CEST497316509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:30.525835037 CEST497335532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:30.529850006 CEST650949731154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:30.530714035 CEST553249733154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:30.530802965 CEST497335532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:30.534185886 CEST497335532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:30.539047003 CEST553249733154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:32.212944984 CEST553249733154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:32.213016033 CEST497335532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:32.213103056 CEST497335532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:32.217986107 CEST553249733154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:33.226629972 CEST497346509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:33.231673956 CEST650949734154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:33.231797934 CEST497346509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:33.236222982 CEST497346509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:33.241101980 CEST650949734154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:34.957667112 CEST650949734154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:34.957763910 CEST497346509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:34.957827091 CEST497346509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:34.958612919 CEST497355532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:34.976017952 CEST650949734154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:34.977123976 CEST553249735154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:34.977229118 CEST497355532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:34.980623007 CEST497355532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:34.998231888 CEST553249735154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:36.717664003 CEST553249735154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:36.717852116 CEST497355532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:36.717876911 CEST497355532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:36.724598885 CEST553249735154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:37.743601084 CEST497366509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:37.748907089 CEST650949736154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:37.748989105 CEST497366509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:37.752351999 CEST497366509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:37.758378983 CEST650949736154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:39.453953981 CEST650949736154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:39.454006910 CEST497366509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:39.454068899 CEST497366509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:39.454818964 CEST497375532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:39.464051008 CEST650949736154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:39.464922905 CEST553249737154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:39.465013981 CEST497375532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:39.468642950 CEST497375532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:39.482094049 CEST553249737154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:41.397443056 CEST553249737154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:41.397519112 CEST497375532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:41.397551060 CEST497375532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:41.399602890 CEST553249737154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:41.403318882 CEST497375532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:41.436738968 CEST553249737154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:42.404654980 CEST497386509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:42.411004066 CEST650949738154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:42.411091089 CEST497386509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:42.414401054 CEST497386509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:42.419203997 CEST650949738154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:44.132031918 CEST650949738154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:44.135373116 CEST497386509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:44.135421991 CEST497386509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:44.135988951 CEST497395532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:44.150876045 CEST650949738154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:44.151495934 CEST553249739154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:44.155392885 CEST497395532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:44.158724070 CEST497395532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:44.169699907 CEST553249739154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:45.876858950 CEST553249739154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:45.879367113 CEST497395532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:45.879405022 CEST497395532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:45.886852026 CEST553249739154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:46.889184952 CEST497406509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:46.924845934 CEST650949740154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:46.924967051 CEST497406509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:46.928292990 CEST497406509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:46.947604895 CEST650949740154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:48.699316025 CEST650949740154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:48.701432943 CEST497406509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:48.701488972 CEST497406509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:48.702416897 CEST497415532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:48.721813917 CEST650949740154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:48.721828938 CEST553249741154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:48.721962929 CEST497415532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:48.725392103 CEST497415532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:48.750188112 CEST553249741154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:50.514008999 CEST553249741154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:50.514126062 CEST497415532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:50.514126062 CEST497415532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:50.548787117 CEST553249741154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:51.529745102 CEST497426509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:51.773868084 CEST650949742154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:51.773972034 CEST497426509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:51.778121948 CEST497426509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:51.789659977 CEST650949742154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:53.463992119 CEST650949742154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:53.466018915 CEST497426509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:53.466018915 CEST497426509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:53.466751099 CEST497435532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:53.470909119 CEST650949742154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:53.471812963 CEST553249743154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:53.471887112 CEST497435532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:53.475212097 CEST497435532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:53.479971886 CEST553249743154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:55.187311888 CEST553249743154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:55.187381983 CEST497435532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:55.187515974 CEST497435532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:55.192295074 CEST553249743154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:56.201842070 CEST497446509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:56.206799984 CEST650949744154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:56.209767103 CEST497446509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:56.212869883 CEST497446509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:56.217629910 CEST650949744154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:57.917360067 CEST650949744154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:57.919488907 CEST497446509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:57.919533014 CEST497446509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:57.920222998 CEST497455532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:57.924417019 CEST650949744154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:57.925021887 CEST553249745154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:57.925118923 CEST497455532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:57.928427935 CEST497455532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:57.933267117 CEST553249745154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:59.621577024 CEST553249745154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:38:59.627589941 CEST497455532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:59.627589941 CEST497455532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:38:59.632499933 CEST553249745154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:00.641746998 CEST497466509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:00.646775961 CEST650949746154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:00.649821043 CEST497466509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:00.653122902 CEST497466509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:00.659423113 CEST650949746154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:02.358957052 CEST650949746154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:02.359045982 CEST497466509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:02.359121084 CEST497466509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:02.359808922 CEST497475532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:02.365171909 CEST650949746154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:02.366239071 CEST553249747154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:02.366300106 CEST497475532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:02.371556044 CEST497475532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:02.377032042 CEST553249747154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:04.101984978 CEST553249747154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:04.102047920 CEST497475532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:04.102073908 CEST497475532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:04.107363939 CEST553249747154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:05.108674049 CEST497486509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:05.113884926 CEST650949748154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:05.113969088 CEST497486509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:05.118410110 CEST497486509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:05.123328924 CEST650949748154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:06.825664043 CEST650949748154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:06.825726032 CEST497486509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:06.827424049 CEST497486509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:06.830949068 CEST497495532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:06.832947016 CEST650949748154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:06.840416908 CEST553249749154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:06.840507030 CEST497495532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:06.845078945 CEST497495532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:06.852421045 CEST553249749154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:08.528783083 CEST553249749154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:08.528881073 CEST497495532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:08.529268026 CEST497495532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:08.534615993 CEST553249749154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:09.545636892 CEST497506509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:09.551487923 CEST650949750154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:09.551548004 CEST497506509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:09.555826902 CEST497506509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:09.564939976 CEST650949750154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:11.343058109 CEST650949750154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:11.345552921 CEST497506509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:11.345638037 CEST497506509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:11.346183062 CEST497515532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:11.350512028 CEST650949750154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:11.351046085 CEST553249751154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:11.351499081 CEST497515532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:11.354747057 CEST497515532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:11.360022068 CEST553249751154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:13.121370077 CEST553249751154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:13.121428013 CEST497515532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:13.121500969 CEST497515532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:13.126349926 CEST553249751154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:14.123752117 CEST497526509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:14.357057095 CEST650949752154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:14.357182026 CEST497526509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:14.360964060 CEST497526509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:14.366697073 CEST650949752154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:16.059377909 CEST650949752154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:16.059478998 CEST497526509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:16.059535027 CEST497526509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:16.060283899 CEST497535532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:16.064327955 CEST650949752154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:16.065228939 CEST553249753154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:16.065356970 CEST497535532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:16.069430113 CEST497535532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:16.074228048 CEST553249753154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:17.777669907 CEST553249753154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:17.777730942 CEST497535532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:17.777770042 CEST497535532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:17.782725096 CEST553249753154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:18.780206919 CEST497546509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:18.786408901 CEST650949754154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:18.789603949 CEST497546509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:18.792943954 CEST497546509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:18.797924042 CEST650949754154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:20.480460882 CEST650949754154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:20.480515957 CEST497546509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:20.480597019 CEST497546509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:20.481216908 CEST497555532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:20.485358953 CEST650949754154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:20.485969067 CEST553249755154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:20.486135006 CEST497555532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:20.490864038 CEST497555532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:20.495951891 CEST553249755154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:22.168206930 CEST553249755154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:22.168287039 CEST497555532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:22.168395996 CEST497555532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:22.173175097 CEST553249755154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:23.170928955 CEST497566509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:23.179300070 CEST650949756154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:23.179373980 CEST497566509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:23.183140993 CEST497566509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:23.189413071 CEST650949756154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:24.908173084 CEST650949756154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:24.908245087 CEST497566509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:24.908291101 CEST497566509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:24.909105062 CEST497575532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:24.913099051 CEST650949756154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:24.913913965 CEST553249757154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:24.914083004 CEST497575532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:24.917788029 CEST497575532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:24.922555923 CEST553249757154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:26.640593052 CEST553249757154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:26.640659094 CEST497575532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:26.640729904 CEST497575532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:26.645538092 CEST553249757154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:27.655088902 CEST497586509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:27.703998089 CEST650949758154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:27.707626104 CEST497586509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:27.711004019 CEST497586509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:27.715781927 CEST650949758154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:29.402393103 CEST650949758154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:29.402443886 CEST497586509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:29.402559996 CEST497586509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:29.403224945 CEST497595532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:29.407314062 CEST650949758154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:29.408107996 CEST553249759154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:29.408178091 CEST497595532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:29.412197113 CEST497595532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:29.417033911 CEST553249759154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:31.127841949 CEST553249759154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:31.131681919 CEST497595532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:31.131788015 CEST497595532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:31.136709929 CEST553249759154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:32.139714956 CEST497606509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:32.144848108 CEST650949760154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:32.144928932 CEST497606509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:32.149333000 CEST497606509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:32.155002117 CEST650949760154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:33.861648083 CEST650949760154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:33.863658905 CEST497606509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:33.863763094 CEST497606509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:33.864511013 CEST497615532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:33.868612051 CEST650949760154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:33.869379997 CEST553249761154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:33.869467020 CEST497615532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:33.872665882 CEST497615532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:33.877538919 CEST553249761154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:35.642193079 CEST553249761154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:35.642261028 CEST497615532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:35.642339945 CEST497615532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:35.651144028 CEST553249761154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:36.655102015 CEST497626509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:36.660384893 CEST650949762154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:36.660470009 CEST497626509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:36.663944006 CEST497626509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:36.669246912 CEST650949762154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:38.504898071 CEST650949762154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:38.506143093 CEST497626509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:38.506181002 CEST497626509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:38.506755114 CEST497635532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:38.519335032 CEST650949762154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:38.520328045 CEST553249763154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:38.520694017 CEST497635532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:38.523911953 CEST497635532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:38.543195009 CEST553249763154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:40.317034960 CEST553249763154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:40.317131996 CEST497635532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:40.317131996 CEST497635532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:40.382397890 CEST553249763154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:41.347492933 CEST497646509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:41.363850117 CEST650949764154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:41.363933086 CEST497646509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:41.368269920 CEST497646509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:41.374428988 CEST650949764154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:43.151680946 CEST650949764154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:43.152188063 CEST497646509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:43.152188063 CEST497646509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:43.152739048 CEST497655532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:43.184132099 CEST650949764154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:43.184150934 CEST553249765154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:43.184258938 CEST497655532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:43.199982882 CEST497655532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:43.212344885 CEST553249765154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:45.106240034 CEST553249765154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:45.109862089 CEST497655532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:45.109889984 CEST497655532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:45.123044968 CEST553249765154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:46.127883911 CEST497666509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:46.135209084 CEST650949766154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:46.135723114 CEST497666509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:46.138982058 CEST497666509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:46.144961119 CEST650949766154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:47.877800941 CEST650949766154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:47.877924919 CEST497666509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:47.877949953 CEST497666509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:47.878658056 CEST497675532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:47.884346008 CEST650949766154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:47.885598898 CEST553249767154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:47.885674000 CEST497675532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:47.890053034 CEST497675532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:47.894988060 CEST553249767154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:49.610727072 CEST553249767154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:49.610799074 CEST497675532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:49.610924959 CEST497675532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:49.621411085 CEST553249767154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:50.628696918 CEST497686509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:50.635647058 CEST650949768154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:50.636219025 CEST497686509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:50.646513939 CEST497686509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:50.654951096 CEST650949768154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:52.383706093 CEST650949768154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:52.383769989 CEST497686509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:52.383867025 CEST497686509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:52.384725094 CEST497695532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:52.397067070 CEST650949768154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:52.399005890 CEST553249769154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:52.399074078 CEST497695532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:52.404387951 CEST497695532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:52.426089048 CEST553249769154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:54.193408012 CEST553249769154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:54.193557024 CEST497695532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:54.193600893 CEST497695532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:54.198640108 CEST553249769154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:55.202342033 CEST497706509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:55.222007990 CEST650949770154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:55.222198009 CEST497706509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:55.225944042 CEST497706509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:55.245639086 CEST650949770154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:56.983913898 CEST650949770154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:56.983978987 CEST497706509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:56.984042883 CEST497706509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:56.984678984 CEST497715532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:56.988847017 CEST650949770154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:56.989628077 CEST553249771154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:56.989706993 CEST497715532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:56.993407011 CEST497715532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:56.998682022 CEST553249771154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:58.702168941 CEST553249771154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:58.703767061 CEST497715532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:58.703809023 CEST497715532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:58.710628986 CEST553249771154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:59.717834949 CEST497726509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:59.722951889 CEST650949772154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:39:59.723035097 CEST497726509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:59.727086067 CEST497726509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:39:59.732002020 CEST650949772154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:01.423620939 CEST650949772154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:01.423851967 CEST497726509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:01.423902035 CEST497726509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:01.424618959 CEST497735532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:01.428634882 CEST650949772154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:01.429390907 CEST553249773154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:01.429465055 CEST497735532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:01.432856083 CEST497735532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:01.437618971 CEST553249773154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:03.126274109 CEST553249773154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:03.126337051 CEST497735532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:03.126374006 CEST497735532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:03.131182909 CEST553249773154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:04.108504057 CEST497746509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:04.113416910 CEST650949774154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:04.114842892 CEST497746509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:04.118197918 CEST497746509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:04.123153925 CEST650949774154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:05.809309959 CEST650949774154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:05.810648918 CEST497746509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:05.810708046 CEST497746509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:05.812182903 CEST497755532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:05.815406084 CEST650949774154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:05.816956997 CEST553249775154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:05.819819927 CEST497755532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:05.823016882 CEST497755532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:05.827812910 CEST553249775154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:07.534101009 CEST553249775154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:07.534173012 CEST497755532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:07.534322023 CEST497755532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:07.540771008 CEST553249775154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:08.483448982 CEST497766509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:08.488405943 CEST650949776154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:08.488481998 CEST497766509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:08.491869926 CEST497766509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:08.496659994 CEST650949776154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:10.168504000 CEST650949776154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:10.168572903 CEST497766509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:10.168636084 CEST497766509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:10.169270039 CEST497775532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:10.173449039 CEST650949776154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:10.174105883 CEST553249777154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:10.174196959 CEST497775532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:10.178257942 CEST497775532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:10.183136940 CEST553249777154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:11.876508951 CEST553249777154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:11.876581907 CEST497775532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:11.876638889 CEST497775532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:11.881392002 CEST553249777154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:12.795609951 CEST497786509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:13.192625046 CEST650949778154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:13.192733049 CEST497786509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:13.196485996 CEST497786509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:13.201251984 CEST650949778154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:14.888288975 CEST650949778154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:14.888830900 CEST497786509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:14.888911009 CEST497786509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:14.889352083 CEST497795532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:14.894193888 CEST650949778154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:14.894442081 CEST553249779154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:14.894530058 CEST497795532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:14.897667885 CEST497795532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:14.902510881 CEST553249779154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:16.593002081 CEST553249779154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:16.595920086 CEST497795532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:16.595946074 CEST497795532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:16.600935936 CEST553249779154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:17.487282038 CEST497806509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:17.492218971 CEST650949780154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:17.493876934 CEST497806509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:17.496601105 CEST497806509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:17.501429081 CEST650949780154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:19.184974909 CEST650949780154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:19.185030937 CEST497806509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:19.185146093 CEST497806509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:19.185853958 CEST497815532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:19.189861059 CEST650949780154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:19.190618038 CEST553249781154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:19.190709114 CEST497815532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:19.195327997 CEST497815532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:19.200176954 CEST553249781154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:21.746522903 CEST553249781154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:21.746887922 CEST553249781154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:21.747029066 CEST497815532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:21.747040033 CEST497815532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:21.747237921 CEST553249781154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:21.747872114 CEST497815532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:21.749583006 CEST553249781154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:21.749635935 CEST497815532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:21.751838923 CEST553249781154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:22.592685938 CEST497826509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:22.597683907 CEST650949782154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:22.599067926 CEST497826509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:22.601983070 CEST497826509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:22.606959105 CEST650949782154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:24.316673994 CEST650949782154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:24.320063114 CEST497826509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:24.320063114 CEST497826509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:24.320334911 CEST497835532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:24.327222109 CEST650949782154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:24.327238083 CEST553249783154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:24.327357054 CEST497835532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:24.330559969 CEST497835532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:24.335794926 CEST553249783154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:26.013396978 CEST553249783154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:26.013506889 CEST497835532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:26.013537884 CEST497835532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:26.023700953 CEST553249783154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:26.842595100 CEST497846509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:26.847637892 CEST650949784154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:26.847717047 CEST497846509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:26.850965023 CEST497846509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:26.855770111 CEST650949784154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:28.549145937 CEST650949784154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:28.549223900 CEST497846509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:28.549298048 CEST497846509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:28.549714088 CEST497855532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:28.554084063 CEST650949784154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:28.554503918 CEST553249785154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:28.554575920 CEST497855532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:28.557909012 CEST497855532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:28.562796116 CEST553249785154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:30.251941919 CEST553249785154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:30.253999949 CEST497855532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:30.254028082 CEST497855532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:30.259135962 CEST553249785154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:31.045717001 CEST497866509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:31.318162918 CEST650949786154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:31.318274975 CEST497866509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:31.321484089 CEST497866509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:31.326931000 CEST650949786154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:33.125215054 CEST650949786154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:33.125377893 CEST497866509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:33.125591993 CEST497866509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:33.125864983 CEST497875532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:33.130337000 CEST650949786154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:33.130640984 CEST553249787154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:33.130970955 CEST497875532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:33.135919094 CEST497875532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:33.140752077 CEST553249787154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:34.939546108 CEST553249787154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:34.939686060 CEST497875532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:34.939687014 CEST497875532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:34.946306944 CEST553249787154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:35.722250938 CEST497886509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:35.727128029 CEST650949788154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:35.727194071 CEST497886509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:35.735208035 CEST497886509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:35.740020990 CEST650949788154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:37.419712067 CEST650949788154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:37.422095060 CEST497886509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:37.422147036 CEST497886509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:37.422521114 CEST497895532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:37.427098989 CEST650949788154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:37.427334070 CEST553249789154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:37.427428007 CEST497895532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:37.430174112 CEST497895532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:37.434971094 CEST553249789154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:39.209939957 CEST553249789154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:39.210118055 CEST497895532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:39.214683056 CEST497895532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:39.223756075 CEST553249789154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:39.952203035 CEST497906509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:39.957238913 CEST650949790154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:39.958098888 CEST497906509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:39.961373091 CEST497906509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:39.966424942 CEST650949790154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:41.699965954 CEST650949790154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:41.700031996 CEST497906509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:41.700073004 CEST497906509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:41.700473070 CEST497915532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:41.713881016 CEST650949790154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:41.714104891 CEST553249791154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:41.714399099 CEST497915532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:41.717983961 CEST497915532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:41.729010105 CEST553249791154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:43.450551033 CEST553249791154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:43.450834036 CEST497915532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:43.450884104 CEST497915532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:43.456794977 CEST553249791154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:44.228804111 CEST497926509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:44.239494085 CEST650949792154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:44.244062901 CEST497926509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:44.247400045 CEST497926509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:44.252937078 CEST650949792154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:45.984244108 CEST650949792154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:45.986253023 CEST497926509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:45.986301899 CEST497926509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:45.986670017 CEST497935532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:45.991452932 CEST650949792154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:45.991949081 CEST553249793154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:45.992046118 CEST497935532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:45.995348930 CEST497935532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:46.008243084 CEST553249793154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:47.758867025 CEST553249793154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:47.758961916 CEST497935532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:47.759027004 CEST497935532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:47.765541077 CEST553249793154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:48.452383995 CEST497946509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:48.461302996 CEST650949794154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:48.461380005 CEST497946509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:48.464665890 CEST497946509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:48.472156048 CEST650949794154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:50.197751045 CEST650949794154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:50.197815895 CEST497946509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:50.197882891 CEST497946509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:50.198339939 CEST497955532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:50.205373049 CEST650949794154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:50.205748081 CEST553249795154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:50.205878019 CEST497955532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:50.209207058 CEST497955532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:50.214567900 CEST553249795154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:51.937596083 CEST553249795154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:51.937680960 CEST497955532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:51.937766075 CEST497955532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:51.944005966 CEST553249795154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:52.609458923 CEST497966509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:52.630750895 CEST650949796154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:52.630840063 CEST497966509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:52.634166002 CEST497966509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:52.640374899 CEST650949796154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:54.391082048 CEST650949796154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:54.391151905 CEST497966509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:54.391186953 CEST497966509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:54.391597986 CEST497975532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:54.396907091 CEST650949796154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:54.396929979 CEST553249797154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:54.397022009 CEST497975532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:54.400809050 CEST497975532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:54.406459093 CEST553249797154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:56.120235920 CEST553249797154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:56.120318890 CEST497975532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:56.120409012 CEST497975532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:56.146632910 CEST553249797154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:56.764832020 CEST497986509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:56.776102066 CEST650949798154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:56.780260086 CEST497986509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:56.783467054 CEST497986509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:56.790877104 CEST650949798154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:58.487680912 CEST650949798154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:58.488250971 CEST497986509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:58.488250971 CEST497986509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:58.488600969 CEST497995532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:58.493252039 CEST650949798154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:58.493463993 CEST553249799154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:40:58.493566036 CEST497995532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:58.496881962 CEST497995532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:40:58.501707077 CEST553249799154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:00.221849918 CEST553249799154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:00.223434925 CEST497995532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:00.223481894 CEST497995532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:00.228311062 CEST553249799154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:00.859062910 CEST498006509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:00.864130020 CEST650949800154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:00.864213943 CEST498006509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:00.868254900 CEST498006509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:00.873970032 CEST650949800154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:02.594067097 CEST650949800154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:02.594227076 CEST498006509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:02.594269991 CEST498006509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:02.595417023 CEST498015532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:02.600363016 CEST650949800154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:02.601458073 CEST553249801154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:02.601564884 CEST498015532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:02.605088949 CEST498015532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:02.610821962 CEST553249801154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:04.295295954 CEST553249801154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:04.296174049 CEST498015532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:04.300090075 CEST498015532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:04.305246115 CEST553249801154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:04.905450106 CEST498026509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:04.910620928 CEST650949802154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:04.912142992 CEST498026509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:04.915467978 CEST498026509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:04.920347929 CEST650949802154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:06.609714985 CEST650949802154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:06.609806061 CEST498026509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:06.609846115 CEST498026509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:06.610255003 CEST498035532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:06.615647078 CEST650949802154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:06.615683079 CEST553249803154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:06.615766048 CEST498035532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:06.620738029 CEST498035532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:06.625570059 CEST553249803154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:08.343084097 CEST553249803154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:08.344197989 CEST498035532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:08.344237089 CEST498035532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:08.349054098 CEST553249803154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:08.947987080 CEST498046509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:08.953579903 CEST650949804154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:08.953727961 CEST498046509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:09.029781103 CEST498046509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:09.036654949 CEST650949804154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:10.653601885 CEST650949804154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:10.653666973 CEST498046509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:10.653717041 CEST498046509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:10.654119968 CEST498055532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:10.658842087 CEST650949804154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:10.658890963 CEST553249805154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:10.658983946 CEST498055532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:10.662348032 CEST498055532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:10.667222977 CEST553249805154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:12.343471050 CEST553249805154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:12.344219923 CEST498055532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:12.344315052 CEST498055532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:12.349339962 CEST553249805154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:12.921240091 CEST498066509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:12.926389933 CEST650949806154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:12.926626921 CEST498066509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:12.930047035 CEST498066509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:12.935041904 CEST650949806154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:14.624077082 CEST650949806154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:14.624144077 CEST498066509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:14.624211073 CEST498066509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:14.624567032 CEST498075532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:14.630266905 CEST650949806154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:14.630284071 CEST553249807154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:14.630377054 CEST498075532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:14.642863989 CEST498075532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:14.647722960 CEST553249807154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:16.346499920 CEST553249807154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:16.346596003 CEST498075532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:16.346668959 CEST498075532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:16.351469040 CEST553249807154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:16.905567884 CEST498086509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:16.910419941 CEST650949808154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:16.911545038 CEST498086509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:16.914834023 CEST498086509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:16.919593096 CEST650949808154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:18.591948032 CEST650949808154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:18.596263885 CEST498086509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:18.596688986 CEST498086509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:18.596690893 CEST498095532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:18.601525068 CEST650949808154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:18.601538897 CEST553249809154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:18.601639032 CEST498095532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:18.605005026 CEST498095532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:18.609759092 CEST553249809154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:20.295849085 CEST553249809154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:20.296231031 CEST498095532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:20.296315908 CEST498095532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:20.301171064 CEST553249809154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:20.827683926 CEST498106509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:20.832678080 CEST650949810154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:20.832771063 CEST498106509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:20.836982012 CEST498106509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:20.841865063 CEST650949810154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:22.513621092 CEST650949810154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:22.516253948 CEST498106509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:22.532433033 CEST498106509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:22.533046961 CEST498115532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:22.537255049 CEST650949810154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:22.538485050 CEST553249811154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:22.538558006 CEST498115532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:22.547894001 CEST498115532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:22.552762032 CEST553249811154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:24.268578053 CEST553249811154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:24.272250891 CEST498115532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:24.272296906 CEST498115532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:24.277123928 CEST553249811154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:24.781909943 CEST498126509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:24.831983089 CEST650949812154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:24.832101107 CEST498126509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:24.835562944 CEST498126509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:24.840460062 CEST650949812154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:26.547564983 CEST650949812154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:26.547682047 CEST498126509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:26.547756910 CEST498126509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:26.548197031 CEST498135532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:26.552675962 CEST650949812154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:26.553066015 CEST553249813154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:26.553172112 CEST498135532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:26.556922913 CEST498135532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:26.561739922 CEST553249813154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:28.249839067 CEST553249813154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:28.250228882 CEST498135532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:28.250309944 CEST498135532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:28.255072117 CEST553249813154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:28.749401093 CEST498146509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:28.755798101 CEST650949814154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:28.755881071 CEST498146509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:28.759202957 CEST498146509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:28.766493082 CEST650949814154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:30.453233004 CEST650949814154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:30.455143929 CEST498146509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:30.455230951 CEST498146509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:30.455631018 CEST498155532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:30.460454941 CEST650949814154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:30.460573912 CEST553249815154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:30.460689068 CEST498155532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:30.464015007 CEST498155532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:30.468835115 CEST553249815154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:32.207437992 CEST553249815154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:32.210499048 CEST498155532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:32.210537910 CEST498155532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:32.215451956 CEST553249815154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:32.686880112 CEST498166509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:32.692090988 CEST650949816154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:32.692159891 CEST498166509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:32.696515083 CEST498166509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:32.701467037 CEST650949816154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:34.410943031 CEST650949816154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:34.412286997 CEST498166509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:34.421467066 CEST498166509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:34.421881914 CEST498175532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:34.427469969 CEST650949816154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:34.427942991 CEST553249817154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:34.428283930 CEST498175532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:34.483958960 CEST498175532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:34.673981905 CEST553249817154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:36.143296957 CEST553249817154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:36.143477917 CEST498175532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:36.143477917 CEST498175532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:36.148345947 CEST553249817154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:36.609592915 CEST498186509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:36.614557981 CEST650949818154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:36.614667892 CEST498186509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:36.618092060 CEST498186509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:36.623980045 CEST650949818154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:38.343027115 CEST650949818154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:38.343245983 CEST498186509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:38.343245983 CEST498186509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:38.343610048 CEST498195532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:38.348175049 CEST650949818154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:38.348586082 CEST553249819154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:38.348659039 CEST498195532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:38.351982117 CEST498195532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:38.359360933 CEST553249819154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:40.079037905 CEST553249819154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:40.079106092 CEST498195532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:40.079180002 CEST498195532192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:40.084019899 CEST553249819154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:41.093198061 CEST498206509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:41.098191977 CEST650949820154.216.19.222192.168.2.8
                                      Sep 25, 2024 14:41:41.098334074 CEST498206509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:41.102845907 CEST498206509192.168.2.8154.216.19.222
                                      Sep 25, 2024 14:41:41.108444929 CEST650949820154.216.19.222192.168.2.8

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Sep 25, 2024 14:37:33.972482920 CEST6264653192.168.2.81.1.1.1
                                      Sep 25, 2024 14:37:33.981946945 CEST53626461.1.1.1192.168.2.8
                                      Sep 25, 2024 14:38:37.732626915 CEST5479653192.168.2.81.1.1.1
                                      Sep 25, 2024 14:38:37.742650986 CEST53547961.1.1.1192.168.2.8
                                      Sep 25, 2024 14:39:41.326461077 CEST5133653192.168.2.81.1.1.1
                                      Sep 25, 2024 14:39:41.346657991 CEST53513361.1.1.1192.168.2.8
                                      Sep 25, 2024 14:40:44.170700073 CEST5432953192.168.2.81.1.1.1
                                      Sep 25, 2024 14:40:44.224945068 CEST53543291.1.1.1192.168.2.8

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Sep 25, 2024 14:37:33.972482920 CEST192.168.2.81.1.1.10x45f8Standard query (0)sungito2.ddns.netA (IP address)IN (0x0001)false
                                      Sep 25, 2024 14:38:37.732626915 CEST192.168.2.81.1.1.10x77bcStandard query (0)sungito2.ddns.netA (IP address)IN (0x0001)false
                                      Sep 25, 2024 14:39:41.326461077 CEST192.168.2.81.1.1.10xe48bStandard query (0)sungito2.ddns.netA (IP address)IN (0x0001)false
                                      Sep 25, 2024 14:40:44.170700073 CEST192.168.2.81.1.1.10x392dStandard query (0)sungito2.ddns.netA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Sep 25, 2024 14:37:33.981946945 CEST1.1.1.1192.168.2.80x45f8No error (0)sungito2.ddns.net154.216.19.222A (IP address)IN (0x0001)false
                                      Sep 25, 2024 14:38:37.742650986 CEST1.1.1.1192.168.2.80x77bcNo error (0)sungito2.ddns.net154.216.19.222A (IP address)IN (0x0001)false
                                      Sep 25, 2024 14:39:41.346657991 CEST1.1.1.1192.168.2.80xe48bNo error (0)sungito2.ddns.net154.216.19.222A (IP address)IN (0x0001)false
                                      Sep 25, 2024 14:40:44.224945068 CEST1.1.1.1192.168.2.80x392dNo error (0)sungito2.ddns.net154.216.19.222A (IP address)IN (0x0001)false

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:08:37:33
                                      Start date:25/09/2024
                                      Path:C:\Users\user\Desktop\ZZ.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\ZZ.exe"
                                      Imagebase:0x400000
                                      File size:494'592 bytes
                                      MD5 hash:AA4ACA6B0973B169A4242718F04D9C54
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.3857926378.000000000224F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000000.1396938464.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000000.1396938464.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.1396938464.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000000.1396938464.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.3857847409.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                      Reputation:low
                                      Has exited:false

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:3.3%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:23.8%
                                        Total number of Nodes:1187
                                        Total number of Limit Nodes:53
                                        execution_graph 47187 4437fd 47188 443806 47187->47188 47193 44381f 47187->47193 47189 44380e 47188->47189 47194 443885 47188->47194 47191 443816 47191->47189 47205 443b52 22 API calls 2 library calls 47191->47205 47195 443891 47194->47195 47196 44388e 47194->47196 47206 44f45d GetEnvironmentStringsW 47195->47206 47196->47191 47199 44389e 47215 446802 20 API calls __dosmaperr 47199->47215 47202 4438d3 47202->47191 47203 4438a9 47214 446802 20 API calls __dosmaperr 47203->47214 47205->47193 47207 44f471 47206->47207 47208 443898 47206->47208 47216 4461b8 47207->47216 47208->47199 47213 4439aa 26 API calls 3 library calls 47208->47213 47210 44f485 _Yarn 47223 446802 20 API calls __dosmaperr 47210->47223 47212 44f49f FreeEnvironmentStringsW 47212->47208 47213->47203 47214->47199 47215->47202 47217 4461f6 47216->47217 47218 4461c6 __Getctype 47216->47218 47225 44062d 20 API calls _abort 47217->47225 47218->47217 47219 4461e1 RtlAllocateHeap 47218->47219 47224 443001 7 API calls 2 library calls 47218->47224 47219->47218 47221 4461f4 47219->47221 47221->47210 47223->47212 47224->47218 47225->47221 47226 43bea8 47228 43beb4 _swprintf ___FrameUnwindToState 47226->47228 47227 43bec2 47242 44062d 20 API calls _abort 47227->47242 47228->47227 47230 43beec 47228->47230 47237 445909 EnterCriticalSection 47230->47237 47232 43bef7 47238 43bf98 47232->47238 47233 43bec7 ___FrameUnwindToState ___std_exception_copy 47237->47232 47240 43bfa6 47238->47240 47239 43bf02 47243 43bf1f LeaveCriticalSection std::_Lockit::~_Lockit 47239->47243 47240->47239 47244 4497ec 37 API calls 2 library calls 47240->47244 47242->47233 47243->47233 47244->47240 47245 434918 47246 434924 ___FrameUnwindToState 47245->47246 47272 434627 47246->47272 47248 43492b 47250 434954 47248->47250 47570 434a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 47248->47570 47258 434993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 47250->47258 47571 4442d2 5 API calls TranslatorGuardHandler 47250->47571 47252 43496d 47254 434973 ___FrameUnwindToState 47252->47254 47572 444276 5 API calls TranslatorGuardHandler 47252->47572 47255 4349f3 47283 434ba5 47255->47283 47258->47255 47573 443487 36 API calls 5 library calls 47258->47573 47265 434a15 47266 434a1f 47265->47266 47575 4434bf 28 API calls _abort 47265->47575 47268 434a28 47266->47268 47576 443462 28 API calls _abort 47266->47576 47577 43479e 13 API calls 2 library calls 47268->47577 47271 434a30 47271->47254 47273 434630 47272->47273 47578 434cb6 IsProcessorFeaturePresent 47273->47578 47275 43463c 47579 438fb1 10 API calls 4 library calls 47275->47579 47277 434641 47278 434645 47277->47278 47580 44415f IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47277->47580 47278->47248 47280 43464e 47281 43465c 47280->47281 47581 438fda 8 API calls 3 library calls 47280->47581 47281->47248 47582 436f10 47283->47582 47286 4349f9 47287 444223 47286->47287 47584 44f0d9 47287->47584 47289 44422c 47290 434a02 47289->47290 47588 446895 36 API calls 47289->47588 47292 40ea00 47290->47292 47590 41cbe1 LoadLibraryA GetProcAddress 47292->47590 47294 40ea1c GetModuleFileNameW 47595 40f3fe 47294->47595 47296 40ea38 47610 4020f6 47296->47610 47299 4020f6 28 API calls 47300 40ea56 47299->47300 47616 41beac 47300->47616 47304 40ea68 47642 401e8d 47304->47642 47306 40ea71 47307 40ea84 47306->47307 47308 40eace 47306->47308 47910 40fbee 118 API calls 47307->47910 47648 401e65 47308->47648 47311 40eade 47315 401e65 22 API calls 47311->47315 47312 40ea96 47313 401e65 22 API calls 47312->47313 47314 40eaa2 47313->47314 47911 410f72 36 API calls __EH_prolog 47314->47911 47316 40eafd 47315->47316 47653 40531e 47316->47653 47319 40eb0c 47658 406383 47319->47658 47320 40eab4 47912 40fb9f 78 API calls 47320->47912 47324 40eabd 47913 40f3eb 71 API calls 47324->47913 47330 401fd8 11 API calls 47332 40ef36 47330->47332 47331 401fd8 11 API calls 47333 40eb36 47331->47333 47574 443396 GetModuleHandleW 47332->47574 47334 401e65 22 API calls 47333->47334 47335 40eb3f 47334->47335 47675 401fc0 47335->47675 47337 40eb4a 47338 401e65 22 API calls 47337->47338 47339 40eb63 47338->47339 47340 401e65 22 API calls 47339->47340 47341 40eb7e 47340->47341 47342 40ebe9 47341->47342 47914 406c59 47341->47914 47343 401e65 22 API calls 47342->47343 47348 40ebf6 47343->47348 47345 40ebab 47346 401fe2 28 API calls 47345->47346 47347 40ebb7 47346->47347 47350 401fd8 11 API calls 47347->47350 47349 40ec3d 47348->47349 47355 413584 3 API calls 47348->47355 47679 40d0a4 47349->47679 47352 40ebc0 47350->47352 47919 413584 RegOpenKeyExA 47352->47919 47353 40ec43 47354 40eac6 47353->47354 47682 41b354 47353->47682 47354->47330 47361 40ec21 47355->47361 47359 40f38a 47995 4139e4 30 API calls 47359->47995 47360 40ec5e 47362 40ecb1 47360->47362 47699 407751 47360->47699 47361->47349 47922 4139e4 30 API calls 47361->47922 47364 401e65 22 API calls 47362->47364 47367 40ecba 47364->47367 47376 40ecc6 47367->47376 47377 40eccb 47367->47377 47369 40f3a0 47996 4124b0 65 API calls ___scrt_get_show_window_mode 47369->47996 47370 40ec87 47374 401e65 22 API calls 47370->47374 47371 40ec7d 47923 407773 30 API calls 47371->47923 47386 40ec90 47374->47386 47375 40f3aa 47379 41bcef 28 API calls 47375->47379 47926 407790 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 47376->47926 47382 401e65 22 API calls 47377->47382 47378 40ec82 47924 40729b 98 API calls 47378->47924 47383 40f3ba 47379->47383 47384 40ecd4 47382->47384 47808 413a5e RegOpenKeyExW 47383->47808 47703 41bcef 47384->47703 47386->47362 47390 40ecac 47386->47390 47387 40ecdf 47707 401f13 47387->47707 47925 40729b 98 API calls 47390->47925 47394 401f09 11 API calls 47395 40f3d7 47394->47395 47397 401f09 11 API calls 47395->47397 47399 40f3e0 47397->47399 47811 40dd7d 47399->47811 47400 401e65 22 API calls 47401 40ecfc 47400->47401 47405 401e65 22 API calls 47401->47405 47407 40ed16 47405->47407 47406 40f3ea 47408 401e65 22 API calls 47407->47408 47409 40ed30 47408->47409 47410 401e65 22 API calls 47409->47410 47411 40ed49 47410->47411 47412 40edb6 47411->47412 47413 401e65 22 API calls 47411->47413 47414 40edc5 47412->47414 47419 40ef41 ___scrt_get_show_window_mode 47412->47419 47418 40ed5e _wcslen 47413->47418 47415 40edce 47414->47415 47443 40ee4a ___scrt_get_show_window_mode 47414->47443 47416 401e65 22 API calls 47415->47416 47417 40edd7 47416->47417 47420 401e65 22 API calls 47417->47420 47418->47412 47421 401e65 22 API calls 47418->47421 47987 413733 RegOpenKeyExA RegQueryValueExA RegCloseKey 47419->47987 47422 40ede9 47420->47422 47423 40ed79 47421->47423 47425 401e65 22 API calls 47422->47425 47427 401e65 22 API calls 47423->47427 47426 40edfb 47425->47426 47430 401e65 22 API calls 47426->47430 47428 40ed8e 47427->47428 47927 40da6f 47428->47927 47429 40ef8c 47431 401e65 22 API calls 47429->47431 47432 40ee24 47430->47432 47433 40efb1 47431->47433 47438 401e65 22 API calls 47432->47438 47729 402093 47433->47729 47436 401f13 28 API calls 47437 40edad 47436->47437 47440 401f09 11 API calls 47437->47440 47441 40ee35 47438->47441 47440->47412 47985 40ce34 46 API calls _wcslen 47441->47985 47442 40efc3 47735 4137aa RegCreateKeyA 47442->47735 47719 413982 47443->47719 47448 40eede ctype 47452 401e65 22 API calls 47448->47452 47449 40ee45 47449->47443 47450 401e65 22 API calls 47451 40efe5 47450->47451 47741 43bb2c 47451->47741 47453 40eef5 47452->47453 47453->47429 47457 40ef09 47453->47457 47456 40effc 47988 41ce2c 88 API calls ___scrt_get_show_window_mode 47456->47988 47459 401e65 22 API calls 47457->47459 47458 40f01f 47462 402093 28 API calls 47458->47462 47460 40ef12 47459->47460 47463 41bcef 28 API calls 47460->47463 47465 40f034 47462->47465 47466 40ef1e 47463->47466 47464 40f003 CreateThread 47464->47458 48699 41d4ee 10 API calls 47464->48699 47467 402093 28 API calls 47465->47467 47986 40f4af 107 API calls 47466->47986 47469 40f043 47467->47469 47745 41b580 47469->47745 47470 40ef23 47470->47429 47472 40ef2a 47470->47472 47472->47354 47474 401e65 22 API calls 47475 40f054 47474->47475 47476 401e65 22 API calls 47475->47476 47477 40f066 47476->47477 47478 401e65 22 API calls 47477->47478 47479 40f086 47478->47479 47480 43bb2c _strftime 40 API calls 47479->47480 47481 40f093 47480->47481 47482 401e65 22 API calls 47481->47482 47483 40f09e 47482->47483 47484 401e65 22 API calls 47483->47484 47485 40f0af 47484->47485 47486 401e65 22 API calls 47485->47486 47487 40f0c4 47486->47487 47488 401e65 22 API calls 47487->47488 47489 40f0d5 47488->47489 47490 40f0dc StrToIntA 47489->47490 47769 409e1f 47490->47769 47493 401e65 22 API calls 47494 40f0f7 47493->47494 47495 40f103 47494->47495 47496 40f13c 47494->47496 47989 43455e 22 API calls 3 library calls 47495->47989 47498 401e65 22 API calls 47496->47498 47500 40f14c 47498->47500 47499 40f10c 47501 401e65 22 API calls 47499->47501 47504 40f194 47500->47504 47505 40f158 47500->47505 47502 40f11f 47501->47502 47503 40f126 CreateThread 47502->47503 47503->47496 48702 41a045 110 API calls 2 library calls 47503->48702 47507 401e65 22 API calls 47504->47507 47990 43455e 22 API calls 3 library calls 47505->47990 47509 40f19d 47507->47509 47508 40f161 47510 401e65 22 API calls 47508->47510 47512 40f207 47509->47512 47513 40f1a9 47509->47513 47511 40f173 47510->47511 47516 40f17a CreateThread 47511->47516 47514 401e65 22 API calls 47512->47514 47515 401e65 22 API calls 47513->47515 47517 40f210 47514->47517 47518 40f1b9 47515->47518 47516->47504 48701 41a045 110 API calls 2 library calls 47516->48701 47519 40f255 47517->47519 47520 40f21c 47517->47520 47521 401e65 22 API calls 47518->47521 47794 41b69e GetComputerNameExW GetUserNameW 47519->47794 47523 401e65 22 API calls 47520->47523 47524 40f1ce 47521->47524 47526 40f225 47523->47526 47991 40da23 32 API calls 47524->47991 47531 401e65 22 API calls 47526->47531 47527 401f13 28 API calls 47528 40f269 47527->47528 47530 401f09 11 API calls 47528->47530 47533 40f272 47530->47533 47534 40f23a 47531->47534 47532 40f1e1 47535 401f13 28 API calls 47532->47535 47536 40f27b SetProcessDEPPolicy 47533->47536 47537 40f27e CreateThread 47533->47537 47542 43bb2c _strftime 40 API calls 47534->47542 47538 40f1ed 47535->47538 47536->47537 47540 40f293 CreateThread 47537->47540 47541 40f29f 47537->47541 48670 40f7e2 47537->48670 47539 401f09 11 API calls 47538->47539 47543 40f1f6 CreateThread 47539->47543 47540->47541 48697 412132 139 API calls 47540->48697 47544 40f2b4 47541->47544 47545 40f2a8 CreateThread 47541->47545 47546 40f247 47542->47546 47543->47512 48698 401be9 50 API calls _strftime 47543->48698 47547 40f307 47544->47547 47549 402093 28 API calls 47544->47549 47545->47544 48700 412716 38 API calls ___scrt_get_show_window_mode 47545->48700 47992 40c19d 7 API calls 47546->47992 47805 41353a RegOpenKeyExA 47547->47805 47550 40f2d7 47549->47550 47993 4052fd 28 API calls 47550->47993 47555 40f328 47557 41bcef 28 API calls 47555->47557 47559 40f338 47557->47559 47994 413656 31 API calls 47559->47994 47564 40f34e 47565 401f09 11 API calls 47564->47565 47568 40f359 47565->47568 47566 40f381 DeleteFileW 47567 40f388 47566->47567 47566->47568 47567->47375 47568->47375 47568->47566 47569 40f36f Sleep 47568->47569 47569->47568 47570->47248 47571->47252 47572->47258 47573->47255 47574->47265 47575->47266 47576->47268 47577->47271 47578->47275 47579->47277 47580->47280 47581->47278 47583 434bb8 GetStartupInfoW 47582->47583 47583->47286 47585 44f0eb 47584->47585 47586 44f0e2 47584->47586 47585->47289 47589 44efd8 49 API calls 5 library calls 47586->47589 47588->47289 47589->47585 47591 41cc20 LoadLibraryA GetProcAddress 47590->47591 47592 41cc10 GetModuleHandleA GetProcAddress 47590->47592 47593 41cc49 44 API calls 47591->47593 47594 41cc39 LoadLibraryA GetProcAddress 47591->47594 47592->47591 47593->47294 47594->47593 47997 41b539 FindResourceA 47595->47997 47599 40f428 _Yarn 48007 4020b7 47599->48007 47602 401fe2 28 API calls 47603 40f44e 47602->47603 47604 401fd8 11 API calls 47603->47604 47605 40f457 47604->47605 47606 43bda0 _Yarn 21 API calls 47605->47606 47607 40f468 _Yarn 47606->47607 48013 406e13 47607->48013 47609 40f49b 47609->47296 47611 40210c 47610->47611 47612 4023ce 11 API calls 47611->47612 47613 402126 47612->47613 47614 402569 28 API calls 47613->47614 47615 402134 47614->47615 47615->47299 48050 4020df 47616->48050 47618 41bebf 47622 41bf31 47618->47622 47630 401fe2 28 API calls 47618->47630 47633 401fd8 11 API calls 47618->47633 47637 41bf2f 47618->47637 48054 4041a2 28 API calls 47618->48054 48055 41cec5 28 API calls 47618->48055 47619 401fd8 11 API calls 47620 41bf61 47619->47620 47621 401fd8 11 API calls 47620->47621 47623 41bf69 47621->47623 48056 4041a2 28 API calls 47622->48056 47626 401fd8 11 API calls 47623->47626 47628 40ea5f 47626->47628 47627 41bf3d 47629 401fe2 28 API calls 47627->47629 47638 40fb52 47628->47638 47631 41bf46 47629->47631 47630->47618 47632 401fd8 11 API calls 47631->47632 47634 41bf4e 47632->47634 47633->47618 48057 41cec5 28 API calls 47634->48057 47637->47619 47639 40fb5e 47638->47639 47641 40fb65 47638->47641 48058 402163 11 API calls 47639->48058 47641->47304 47643 402163 47642->47643 47644 40219f 47643->47644 48059 402730 11 API calls 47643->48059 47644->47306 47646 402184 48060 402712 11 API calls std::_Deallocate 47646->48060 47649 401e6d 47648->47649 47650 401e75 47649->47650 48061 402158 22 API calls 47649->48061 47650->47311 47654 4020df 11 API calls 47653->47654 47655 40532a 47654->47655 48062 4032a0 47655->48062 47657 405346 47657->47319 48067 4051ef 47658->48067 47660 406391 48071 402055 47660->48071 47663 401fe2 47664 401ff1 47663->47664 47671 402039 47663->47671 47665 4023ce 11 API calls 47664->47665 47666 401ffa 47665->47666 47667 402015 47666->47667 47668 40203c 47666->47668 48105 403098 28 API calls 47667->48105 47669 40267a 11 API calls 47668->47669 47669->47671 47672 401fd8 47671->47672 47673 4023ce 11 API calls 47672->47673 47674 401fe1 47673->47674 47674->47331 47676 401fd2 47675->47676 47677 401fc9 47675->47677 47676->47337 48106 4025e0 28 API calls 47677->48106 48107 401fab 47679->48107 47681 40d0ae CreateMutexA GetLastError 47681->47353 48108 41c048 47682->48108 47687 401fe2 28 API calls 47688 41b390 47687->47688 47689 401fd8 11 API calls 47688->47689 47690 41b398 47689->47690 47691 4135e1 31 API calls 47690->47691 47693 41b3ee 47690->47693 47692 41b3c1 47691->47692 47694 41b3cc StrToIntA 47692->47694 47693->47360 47695 41b3e3 47694->47695 47696 41b3da 47694->47696 47697 401fd8 11 API calls 47695->47697 48117 41cffa 22 API calls 47696->48117 47697->47693 47700 407765 47699->47700 47701 413584 3 API calls 47700->47701 47702 40776c 47701->47702 47702->47370 47702->47371 47704 41bd03 47703->47704 48118 40b93f 47704->48118 47706 41bd0b 47706->47387 47708 401f22 47707->47708 47715 401f6a 47707->47715 47709 402252 11 API calls 47708->47709 47710 401f2b 47709->47710 47711 401f6d 47710->47711 47713 401f46 47710->47713 48151 402336 47711->48151 48150 40305c 28 API calls 47713->48150 47716 401f09 47715->47716 47717 402252 11 API calls 47716->47717 47718 401f12 47717->47718 47718->47400 47720 4139a0 47719->47720 47721 406e13 28 API calls 47720->47721 47722 4139b5 47721->47722 47723 4020f6 28 API calls 47722->47723 47724 4139c5 47723->47724 47725 4137aa 14 API calls 47724->47725 47726 4139cf 47725->47726 47727 401fd8 11 API calls 47726->47727 47728 4139dc 47727->47728 47728->47448 47730 40209b 47729->47730 47731 4023ce 11 API calls 47730->47731 47732 4020a6 47731->47732 48155 4024ed 47732->48155 47736 4137fa 47735->47736 47737 4137c3 47735->47737 47738 401fd8 11 API calls 47736->47738 47740 4137d5 RegSetValueExA RegCloseKey 47737->47740 47739 40efd9 47738->47739 47739->47450 47740->47736 47742 43bb45 _strftime 47741->47742 48159 43ae83 47742->48159 47744 40eff2 47744->47456 47744->47458 47746 41b631 47745->47746 47747 41b596 GetLocalTime 47745->47747 47748 401fd8 11 API calls 47746->47748 47749 40531e 28 API calls 47747->47749 47751 41b639 47748->47751 47750 41b5d8 47749->47750 47752 406383 28 API calls 47750->47752 47753 401fd8 11 API calls 47751->47753 47754 41b5e4 47752->47754 47755 40f048 47753->47755 48187 402f10 47754->48187 47755->47474 47758 406383 28 API calls 47759 41b5fc 47758->47759 48192 40723b 77 API calls 47759->48192 47761 41b60a 47762 401fd8 11 API calls 47761->47762 47763 41b616 47762->47763 47764 401fd8 11 API calls 47763->47764 47765 41b61f 47764->47765 47766 401fd8 11 API calls 47765->47766 47767 41b628 47766->47767 47768 401fd8 11 API calls 47767->47768 47768->47746 47770 409e3d _wcslen 47769->47770 47771 409e48 47770->47771 47772 409e5f 47770->47772 47773 40da6f 32 API calls 47771->47773 47774 40da6f 32 API calls 47772->47774 47775 409e50 47773->47775 47776 409e67 47774->47776 47777 401f13 28 API calls 47775->47777 47778 401f13 28 API calls 47776->47778 47779 409e5a 47777->47779 47780 409e75 47778->47780 47782 401f09 11 API calls 47779->47782 47781 401f09 11 API calls 47780->47781 47783 409e7d 47781->47783 47785 409eb4 47782->47785 48211 409196 28 API calls 47783->48211 48196 40a144 47785->48196 47786 409e8f 48212 403014 47786->48212 47791 401f13 28 API calls 47792 409ea4 47791->47792 47793 401f09 11 API calls 47792->47793 47793->47779 48405 40417e 47794->48405 47799 403014 28 API calls 47800 41b703 47799->47800 47801 401f09 11 API calls 47800->47801 47802 41b70c 47801->47802 47803 401f09 11 API calls 47802->47803 47804 40f25e 47803->47804 47804->47527 47806 41355b RegQueryValueExA RegCloseKey 47805->47806 47807 40f31f 47805->47807 47806->47807 47807->47399 47807->47555 47809 40f3cd 47808->47809 47810 413a7a RegDeleteValueW 47808->47810 47809->47394 47810->47809 47812 40dd96 47811->47812 47813 41353a 3 API calls 47812->47813 47814 40dd9d 47813->47814 47818 40ddbc 47814->47818 48499 401707 47814->48499 47816 40ddaa 48502 4138b2 RegCreateKeyA 47816->48502 47819 414f65 47818->47819 47820 4020df 11 API calls 47819->47820 47821 414f79 47820->47821 48516 41b944 47821->48516 47824 4020df 11 API calls 47825 414f8f 47824->47825 47826 401e65 22 API calls 47825->47826 47827 414f9d 47826->47827 47828 43bb2c _strftime 40 API calls 47827->47828 47829 414faa 47828->47829 47830 414fbc 47829->47830 47831 414faf Sleep 47829->47831 47832 402093 28 API calls 47830->47832 47831->47830 47833 414fcb 47832->47833 47834 401e65 22 API calls 47833->47834 47835 414fd4 47834->47835 47836 4020f6 28 API calls 47835->47836 47837 414fdf 47836->47837 47838 41beac 28 API calls 47837->47838 47839 414fe7 47838->47839 48520 40489e WSAStartup 47839->48520 47841 414ff1 47842 401e65 22 API calls 47841->47842 47843 414ffa 47842->47843 47844 401e65 22 API calls 47843->47844 47869 415079 47843->47869 47845 415013 47844->47845 47846 401e65 22 API calls 47845->47846 47847 415024 47846->47847 47850 401e65 22 API calls 47847->47850 47848 41beac 28 API calls 47848->47869 47849 401e65 22 API calls 47849->47869 47851 415035 47850->47851 47852 401e65 22 API calls 47851->47852 47854 415046 47852->47854 47853 406c59 28 API calls 47853->47869 47856 401e65 22 API calls 47854->47856 47855 401fe2 28 API calls 47855->47869 47857 415057 47856->47857 47858 401e65 22 API calls 47857->47858 47859 415069 47858->47859 48622 40473d 89 API calls 47859->48622 47861 402093 28 API calls 47861->47869 47862 41b580 80 API calls 47862->47869 47864 4151c7 WSAGetLastError 48623 41cb72 30 API calls 47864->48623 47869->47848 47869->47849 47869->47853 47869->47855 47869->47861 47869->47862 47869->47864 47872 40531e 28 API calls 47869->47872 47873 401e8d 11 API calls 47869->47873 47874 402f10 28 API calls 47869->47874 47875 43bb2c _strftime 40 API calls 47869->47875 47877 406383 28 API calls 47869->47877 47878 401fd8 11 API calls 47869->47878 47881 409097 28 API calls 47869->47881 47883 4020f6 28 API calls 47869->47883 47885 4135e1 31 API calls 47869->47885 47898 4153f6 47869->47898 48521 414f24 47869->48521 48526 40482d 47869->48526 48533 404f51 47869->48533 48548 4048c8 connect 47869->48548 48608 404e26 WaitForSingleObject 47869->48608 48624 4052fd 28 API calls 47869->48624 48625 41b871 GlobalMemoryStatusEx 47869->48625 48626 4145f8 51 API calls 47869->48626 48627 441ed1 20 API calls 47869->48627 48628 413733 RegOpenKeyExA RegQueryValueExA RegCloseKey 47869->48628 47872->47869 47873->47869 47874->47869 47876 415b0a Sleep 47875->47876 47876->47869 47877->47869 47878->47869 47881->47869 47883->47869 47885->47869 47886 40417e 28 API calls 47886->47898 47889 401e65 22 API calls 47890 415474 GetTickCount 47889->47890 48631 41bc1f 28 API calls 47890->48631 47893 41bc1f 28 API calls 47893->47898 47895 41bdaf 28 API calls 47895->47898 47898->47869 47898->47886 47898->47889 47898->47893 47898->47895 47899 402f10 28 API calls 47898->47899 47900 406383 28 API calls 47898->47900 47901 402ea1 28 API calls 47898->47901 47903 401fd8 11 API calls 47898->47903 47904 401f09 11 API calls 47898->47904 47907 402093 28 API calls 47898->47907 47908 41b580 80 API calls 47898->47908 47909 415aac CreateThread 47898->47909 48629 40ddc4 6 API calls 47898->48629 48630 41bcd3 28 API calls 47898->48630 48632 41bb77 GetLastInputInfo GetTickCount 47898->48632 48633 41bb27 30 API calls ___scrt_get_show_window_mode 47898->48633 48634 40f90c 29 API calls 47898->48634 48635 402f31 28 API calls 47898->48635 48636 404aa1 61 API calls _Yarn 47898->48636 48637 404c10 113 API calls _Yarn 47898->48637 48638 40b08c 85 API calls 47898->48638 47899->47898 47900->47898 47901->47898 47903->47898 47904->47898 47907->47898 47908->47898 47909->47898 48663 41ada8 105 API calls 47909->48663 47910->47312 47911->47320 47912->47324 47915 4020df 11 API calls 47914->47915 47916 406c65 47915->47916 47917 4032a0 28 API calls 47916->47917 47918 406c82 47917->47918 47918->47345 47920 4135ae RegQueryValueExA RegCloseKey 47919->47920 47921 40ebdf 47919->47921 47920->47921 47921->47342 47921->47359 47922->47349 47923->47378 47924->47370 47925->47362 47926->47377 47928 401f86 11 API calls 47927->47928 47929 40da8b 47928->47929 47930 40dae0 47929->47930 47931 40daab 47929->47931 47933 40daa1 47929->47933 47934 41c048 2 API calls 47930->47934 48664 41b645 29 API calls 47931->48664 47932 40dbd4 GetLongPathNameW 47936 40417e 28 API calls 47932->47936 47933->47932 47937 40dae5 47934->47937 47940 40dbe9 47936->47940 47941 40dae9 47937->47941 47942 40db3b 47937->47942 47938 40dab4 47939 401f13 28 API calls 47938->47939 47943 40dabe 47939->47943 47944 40417e 28 API calls 47940->47944 47946 40417e 28 API calls 47941->47946 47945 40417e 28 API calls 47942->47945 47950 401f09 11 API calls 47943->47950 47947 40dbf8 47944->47947 47948 40db49 47945->47948 47949 40daf7 47946->47949 48667 40de0c 28 API calls 47947->48667 47954 40417e 28 API calls 47948->47954 47955 40417e 28 API calls 47949->47955 47950->47933 47952 40dc0b 48668 402fa5 28 API calls 47952->48668 47958 40db5f 47954->47958 47956 40db0d 47955->47956 48665 402fa5 28 API calls 47956->48665 47957 40dc16 48669 402fa5 28 API calls 47957->48669 48666 402fa5 28 API calls 47958->48666 47962 40db6a 47966 401f13 28 API calls 47962->47966 47963 40db18 47967 401f13 28 API calls 47963->47967 47964 40dc20 47965 401f09 11 API calls 47964->47965 47968 40dc2a 47965->47968 47969 40db75 47966->47969 47970 40db23 47967->47970 47971 401f09 11 API calls 47968->47971 47972 401f09 11 API calls 47969->47972 47973 401f09 11 API calls 47970->47973 47974 40dc33 47971->47974 47975 40db7e 47972->47975 47976 40db2c 47973->47976 47977 401f09 11 API calls 47974->47977 47978 401f09 11 API calls 47975->47978 47979 401f09 11 API calls 47976->47979 47980 40dc3c 47977->47980 47978->47943 47979->47943 47981 401f09 11 API calls 47980->47981 47982 40dc45 47981->47982 47983 401f09 11 API calls 47982->47983 47984 40dc4e 47983->47984 47984->47436 47985->47449 47986->47470 47987->47429 47988->47464 47989->47499 47990->47508 47991->47532 47992->47519 47994->47564 47995->47369 47998 41b556 LoadResource LockResource SizeofResource 47997->47998 47999 40f419 47997->47999 47998->47999 48000 43bda0 47999->48000 48005 4461b8 __Getctype 48000->48005 48001 4461f6 48017 44062d 20 API calls _abort 48001->48017 48002 4461e1 RtlAllocateHeap 48004 4461f4 48002->48004 48002->48005 48004->47599 48005->48001 48005->48002 48016 443001 7 API calls 2 library calls 48005->48016 48008 4020bf 48007->48008 48018 4023ce 48008->48018 48010 4020ca 48022 40250a 48010->48022 48012 4020d9 48012->47602 48014 4020b7 28 API calls 48013->48014 48015 406e27 48014->48015 48015->47609 48016->48005 48017->48004 48019 402428 48018->48019 48020 4023d8 48018->48020 48019->48010 48020->48019 48029 4027a7 11 API calls std::_Deallocate 48020->48029 48023 40251a 48022->48023 48024 402520 48023->48024 48025 402535 48023->48025 48030 402569 48024->48030 48040 4028e8 28 API calls 48025->48040 48028 402533 48028->48012 48029->48019 48041 402888 48030->48041 48032 40257d 48033 402592 48032->48033 48034 4025a7 48032->48034 48046 402a34 22 API calls 48033->48046 48048 4028e8 28 API calls 48034->48048 48037 40259b 48047 4029da 22 API calls 48037->48047 48039 4025a5 48039->48028 48040->48028 48042 402890 48041->48042 48043 402898 48042->48043 48049 402ca3 22 API calls 48042->48049 48043->48032 48046->48037 48047->48039 48048->48039 48051 4020e7 48050->48051 48052 4023ce 11 API calls 48051->48052 48053 4020f2 48052->48053 48053->47618 48054->47618 48055->47618 48056->47627 48057->47637 48058->47641 48059->47646 48060->47644 48063 4032aa 48062->48063 48065 4032c9 48063->48065 48066 4028e8 28 API calls 48063->48066 48065->47657 48066->48065 48068 4051fb 48067->48068 48077 405274 48068->48077 48070 405208 48070->47660 48072 402061 48071->48072 48073 4023ce 11 API calls 48072->48073 48074 40207b 48073->48074 48101 40267a 48074->48101 48078 405282 48077->48078 48079 405288 48078->48079 48080 40529e 48078->48080 48088 4025f0 48079->48088 48082 4052f5 48080->48082 48083 4052b6 48080->48083 48098 4028a4 22 API calls 48082->48098 48087 40529c 48083->48087 48097 4028e8 28 API calls 48083->48097 48087->48070 48089 402888 22 API calls 48088->48089 48090 402602 48089->48090 48091 402672 48090->48091 48092 402629 48090->48092 48100 4028a4 22 API calls 48091->48100 48096 40263b 48092->48096 48099 4028e8 28 API calls 48092->48099 48096->48087 48097->48087 48099->48096 48102 40268b 48101->48102 48103 4023ce 11 API calls 48102->48103 48104 40208d 48103->48104 48104->47663 48105->47671 48106->47676 48109 41b362 48108->48109 48110 41c055 GetCurrentProcess IsWow64Process 48108->48110 48112 4135e1 RegOpenKeyExA 48109->48112 48110->48109 48111 41c06c 48110->48111 48111->48109 48113 41360f RegQueryValueExA RegCloseKey 48112->48113 48114 413639 48112->48114 48113->48114 48115 402093 28 API calls 48114->48115 48116 41364e 48115->48116 48116->47687 48117->47695 48119 40b947 48118->48119 48124 402252 48119->48124 48121 40b952 48128 40b967 48121->48128 48123 40b961 48123->47706 48125 4022ac 48124->48125 48126 40225c 48124->48126 48125->48121 48126->48125 48135 402779 11 API calls std::_Deallocate 48126->48135 48129 40b9a1 48128->48129 48130 40b973 48128->48130 48147 4028a4 22 API calls 48129->48147 48136 4027e6 48130->48136 48134 40b97d 48134->48123 48135->48125 48137 4027ef 48136->48137 48138 402851 48137->48138 48139 4027f9 48137->48139 48149 4028a4 22 API calls 48138->48149 48142 402802 48139->48142 48144 402815 48139->48144 48148 402aea 28 API calls __EH_prolog 48142->48148 48145 402813 48144->48145 48146 402252 11 API calls 48144->48146 48145->48134 48146->48145 48148->48145 48150->47715 48152 402347 48151->48152 48153 402252 11 API calls 48152->48153 48154 4023c7 48153->48154 48154->47715 48156 4024f9 48155->48156 48157 40250a 28 API calls 48156->48157 48158 4020b1 48157->48158 48158->47442 48175 43ba8a 48159->48175 48161 43aed0 48181 43a837 36 API calls 2 library calls 48161->48181 48162 43ae95 48162->48161 48163 43aeaa 48162->48163 48166 43aeaf ___std_exception_copy 48162->48166 48180 44062d 20 API calls _abort 48163->48180 48166->47744 48168 43aedc 48169 43af0b 48168->48169 48182 43bacf 40 API calls __Tolower 48168->48182 48170 43af77 48169->48170 48183 43ba36 20 API calls 2 library calls 48169->48183 48184 43ba36 20 API calls 2 library calls 48170->48184 48173 43b03e _strftime 48173->48166 48185 44062d 20 API calls _abort 48173->48185 48176 43baa2 48175->48176 48177 43ba8f 48175->48177 48176->48162 48186 44062d 20 API calls _abort 48177->48186 48179 43ba94 ___std_exception_copy 48179->48162 48180->48166 48181->48168 48182->48168 48183->48170 48184->48173 48185->48166 48186->48179 48193 401fb0 48187->48193 48189 402f1e 48190 402055 11 API calls 48189->48190 48191 402f2d 48190->48191 48191->47758 48192->47761 48194 4025f0 28 API calls 48193->48194 48195 401fbd 48194->48195 48195->48189 48197 40a162 48196->48197 48198 413584 3 API calls 48197->48198 48199 40a169 48198->48199 48200 40a197 48199->48200 48201 40a17d 48199->48201 48217 409097 48200->48217 48203 40a182 48201->48203 48204 409ed6 48201->48204 48206 409097 28 API calls 48203->48206 48204->47493 48208 40a190 48206->48208 48245 40a268 29 API calls 48208->48245 48210 40a195 48210->48204 48211->47786 48382 403222 48212->48382 48214 403022 48386 403262 48214->48386 48218 4090ad 48217->48218 48219 402252 11 API calls 48218->48219 48220 4090c7 48219->48220 48246 404267 48220->48246 48222 4090d5 48223 40a1b4 48222->48223 48258 40b927 48223->48258 48226 40a205 48229 402093 28 API calls 48226->48229 48227 40a1dd 48228 402093 28 API calls 48227->48228 48230 40a1e7 48228->48230 48231 40a210 48229->48231 48232 41bcef 28 API calls 48230->48232 48233 402093 28 API calls 48231->48233 48234 40a1f5 48232->48234 48235 40a21f 48233->48235 48262 40b19f 31 API calls _Yarn 48234->48262 48237 41b580 80 API calls 48235->48237 48239 40a224 CreateThread 48237->48239 48238 40a1fc 48240 401fd8 11 API calls 48238->48240 48241 40a24b CreateThread 48239->48241 48242 40a23f CreateThread 48239->48242 48264 40a2b8 48239->48264 48240->48226 48243 401f09 11 API calls 48241->48243 48270 40a2c4 48241->48270 48242->48241 48267 40a2a2 48242->48267 48244 40a25f 48243->48244 48244->48204 48245->48210 48381 40a2ae 163 API calls 48245->48381 48247 402888 22 API calls 48246->48247 48248 40427b 48247->48248 48249 404290 48248->48249 48250 4042a5 48248->48250 48256 4042df 22 API calls 48249->48256 48252 4027e6 28 API calls 48250->48252 48255 4042a3 48252->48255 48253 404299 48257 402c48 22 API calls 48253->48257 48255->48222 48256->48253 48257->48255 48259 40b930 48258->48259 48260 40a1d2 48258->48260 48263 40b9a7 28 API calls 48259->48263 48260->48226 48260->48227 48262->48238 48263->48260 48273 40a761 48264->48273 48320 40a2f3 48267->48320 48338 40ad11 48270->48338 48274 40a776 Sleep 48273->48274 48294 40a6b0 48274->48294 48276 40a2c1 48277 40a7c7 GetFileAttributesW 48282 40a788 48277->48282 48278 40a7b6 CreateDirectoryW 48278->48282 48279 40a7de SetFileAttributesW 48279->48282 48280 4020df 11 API calls 48292 40a829 48280->48292 48282->48274 48282->48276 48282->48277 48282->48278 48282->48279 48284 401e65 22 API calls 48282->48284 48282->48292 48307 41c482 48282->48307 48283 40a858 PathFileExistsW 48283->48292 48284->48282 48286 4020b7 28 API calls 48286->48292 48287 40a961 SetFileAttributesW 48287->48282 48288 401fd8 11 API calls 48288->48292 48289 401fe2 28 API calls 48289->48292 48290 406e13 28 API calls 48290->48292 48292->48280 48292->48283 48292->48286 48292->48287 48292->48288 48292->48289 48292->48290 48293 401fd8 11 API calls 48292->48293 48317 41c516 32 API calls 48292->48317 48318 41c583 CreateFileW SetFilePointer CloseHandle WriteFile CloseHandle 48292->48318 48293->48282 48295 40a75d 48294->48295 48296 40a6c6 48294->48296 48295->48282 48297 40a6e5 CreateFileW 48296->48297 48299 40a728 CloseHandle 48296->48299 48300 40a73a 48296->48300 48301 40a716 48296->48301 48302 40a71d Sleep 48296->48302 48297->48296 48298 40a6f3 GetFileSize 48297->48298 48298->48296 48298->48299 48299->48296 48300->48295 48304 409097 28 API calls 48300->48304 48319 40b117 84 API calls 48301->48319 48302->48299 48305 40a756 48304->48305 48306 40a1b4 124 API calls 48305->48306 48306->48295 48308 41c495 CreateFileW 48307->48308 48310 41c4d2 48308->48310 48311 41c4ce 48308->48311 48312 41c4f2 WriteFile 48310->48312 48313 41c4d9 SetFilePointer 48310->48313 48311->48282 48315 41c505 48312->48315 48316 41c507 CloseHandle 48312->48316 48313->48312 48314 41c4e9 CloseHandle 48313->48314 48314->48311 48315->48316 48316->48311 48317->48292 48318->48292 48319->48302 48321 40a30c SetWindowsHookExA 48320->48321 48322 40a36e GetMessageA 48320->48322 48321->48322 48325 40a328 GetLastError 48321->48325 48323 40a380 TranslateMessage DispatchMessageA 48322->48323 48335 40a2ab 48322->48335 48323->48322 48323->48335 48336 41bc1f 28 API calls 48325->48336 48327 40a339 48337 4052fd 28 API calls 48327->48337 48336->48327 48345 40ad1f 48338->48345 48339 40a2cd 48340 40ad79 Sleep GetForegroundWindow GetWindowTextLengthW 48341 40b93f 28 API calls 48340->48341 48341->48345 48345->48339 48345->48340 48348 40adbf GetWindowTextW 48345->48348 48353 40add9 48345->48353 48368 43445a EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait __Init_thread_footer 48345->48368 48369 401f86 48345->48369 48373 434801 23 API calls __onexit 48345->48373 48374 43441b SetEvent ResetEvent EnterCriticalSection LeaveCriticalSection __Init_thread_footer 48345->48374 48347 41bb77 GetLastInputInfo GetTickCount 48347->48353 48348->48345 48350 40b927 28 API calls 48350->48353 48351 40af17 48352 401f09 11 API calls 48351->48352 48352->48339 48353->48345 48353->48347 48353->48350 48353->48351 48354 40ae84 Sleep 48353->48354 48357 402093 28 API calls 48353->48357 48359 409097 28 API calls 48353->48359 48361 406383 28 API calls 48353->48361 48363 403014 28 API calls 48353->48363 48364 40a671 12 API calls 48353->48364 48365 41bcef 28 API calls 48353->48365 48366 401f09 11 API calls 48353->48366 48367 401fd8 11 API calls 48353->48367 48375 40907f 28 API calls 48353->48375 48376 40b19f 31 API calls _Yarn 48353->48376 48377 40b9b7 28 API calls 48353->48377 48378 40b783 40 API calls 2 library calls 48353->48378 48379 441ed1 20 API calls 48353->48379 48380 4052fd 28 API calls 48353->48380 48354->48353 48357->48353 48359->48353 48361->48353 48363->48353 48364->48353 48365->48353 48366->48353 48367->48353 48370 401f8e 48369->48370 48371 402252 11 API calls 48370->48371 48372 401f99 48371->48372 48372->48345 48373->48345 48374->48345 48375->48353 48376->48353 48377->48353 48378->48353 48379->48353 48383 40322e 48382->48383 48392 403618 48383->48392 48385 40323b 48385->48214 48387 40326e 48386->48387 48388 402252 11 API calls 48387->48388 48389 403288 48388->48389 48390 402336 11 API calls 48389->48390 48391 403031 48390->48391 48391->47791 48393 403626 48392->48393 48394 403644 48393->48394 48395 40362c 48393->48395 48397 40365c 48394->48397 48398 40369e 48394->48398 48403 4036a6 28 API calls 48395->48403 48399 403642 48397->48399 48402 4027e6 28 API calls 48397->48402 48404 4028a4 22 API calls 48398->48404 48399->48385 48402->48399 48403->48399 48406 404186 48405->48406 48407 402252 11 API calls 48406->48407 48408 404191 48407->48408 48416 4041bc 48408->48416 48411 4042fc 48427 404353 48411->48427 48413 40430a 48414 403262 11 API calls 48413->48414 48415 404319 48414->48415 48415->47799 48417 4041c8 48416->48417 48420 4041d9 48417->48420 48419 40419c 48419->48411 48421 4041e9 48420->48421 48422 404206 48421->48422 48423 4041ef 48421->48423 48424 4027e6 28 API calls 48422->48424 48425 404267 28 API calls 48423->48425 48426 404204 48424->48426 48425->48426 48426->48419 48428 40435f 48427->48428 48431 404371 48428->48431 48430 40436d 48430->48413 48432 40437f 48431->48432 48433 404385 48432->48433 48434 40439e 48432->48434 48497 4034e6 28 API calls 48433->48497 48435 402888 22 API calls 48434->48435 48436 4043a6 48435->48436 48438 404419 48436->48438 48439 4043bf 48436->48439 48498 4028a4 22 API calls 48438->48498 48442 4027e6 28 API calls 48439->48442 48450 40439c 48439->48450 48442->48450 48450->48430 48497->48450 48505 43ab1a 48499->48505 48503 4138ca RegSetValueExA RegCloseKey 48502->48503 48504 4138f4 48502->48504 48503->48504 48504->47818 48508 43aa9b 48505->48508 48507 40170d 48507->47816 48509 43aaaa 48508->48509 48510 43aabe 48508->48510 48514 44062d 20 API calls _abort 48509->48514 48513 43aaaf __alldvrm ___std_exception_copy 48510->48513 48515 4489d7 11 API calls 2 library calls 48510->48515 48513->48507 48514->48513 48515->48513 48519 41b98a _Yarn ___scrt_get_show_window_mode 48516->48519 48517 402093 28 API calls 48518 414f84 48517->48518 48518->47824 48519->48517 48520->47841 48522 414f33 48521->48522 48523 414f3d getaddrinfo WSASetLastError 48521->48523 48639 414dc1 29 API calls ___std_exception_copy 48522->48639 48523->47869 48525 414f38 48525->48523 48527 404846 socket 48526->48527 48528 404839 48526->48528 48529 404860 CreateEventW 48527->48529 48530 404842 48527->48530 48640 40489e WSAStartup 48528->48640 48529->47869 48530->47869 48532 40483e 48532->48527 48532->48530 48534 404f65 48533->48534 48535 404fea 48533->48535 48536 404f6e 48534->48536 48537 404fc0 CreateEventA CreateThread 48534->48537 48538 404f7d GetLocalTime 48534->48538 48535->47869 48536->48537 48537->48535 48643 405150 48537->48643 48641 41bc1f 28 API calls 48538->48641 48540 404f91 48642 4052fd 28 API calls 48540->48642 48549 404a1b 48548->48549 48550 4048ee 48548->48550 48551 40497e 48549->48551 48552 404a21 WSAGetLastError 48549->48552 48550->48551 48554 40531e 28 API calls 48550->48554 48572 404923 48550->48572 48551->47869 48552->48551 48553 404a31 48552->48553 48555 404a36 48553->48555 48557 404932 48553->48557 48558 40490f 48554->48558 48658 41cb72 30 API calls 48555->48658 48561 402093 28 API calls 48557->48561 48562 402093 28 API calls 48558->48562 48560 40492b 48560->48557 48564 404941 48560->48564 48565 404a80 48561->48565 48566 40491e 48562->48566 48563 404a40 48659 4052fd 28 API calls 48563->48659 48574 404950 48564->48574 48575 404987 48564->48575 48568 402093 28 API calls 48565->48568 48569 41b580 80 API calls 48566->48569 48571 404a8f 48568->48571 48569->48572 48577 41b580 80 API calls 48571->48577 48647 420cf1 27 API calls 48572->48647 48576 402093 28 API calls 48574->48576 48655 421ad1 54 API calls 48575->48655 48580 40495f 48576->48580 48577->48551 48583 402093 28 API calls 48580->48583 48582 40498f 48585 4049c4 48582->48585 48586 404994 48582->48586 48587 40496e 48583->48587 48657 420e97 28 API calls 48585->48657 48590 402093 28 API calls 48586->48590 48591 41b580 80 API calls 48587->48591 48593 4049a3 48590->48593 48594 404973 48591->48594 48592 4049cc 48595 4049f9 CreateEventW CreateEventW 48592->48595 48598 402093 28 API calls 48592->48598 48596 402093 28 API calls 48593->48596 48648 420d31 48594->48648 48595->48551 48597 4049b2 48596->48597 48599 41b580 80 API calls 48597->48599 48601 4049e2 48598->48601 48602 4049b7 48599->48602 48603 402093 28 API calls 48601->48603 48656 421143 52 API calls 48602->48656 48605 4049f1 48603->48605 48606 41b580 80 API calls 48605->48606 48607 4049f6 48606->48607 48607->48595 48609 404e40 SetEvent CloseHandle 48608->48609 48610 404e57 closesocket 48608->48610 48611 404ed8 48609->48611 48612 404e64 48610->48612 48611->47869 48613 404e73 48612->48613 48614 404e7a 48612->48614 48662 4050e4 84 API calls 48613->48662 48616 404e8c WaitForSingleObject 48614->48616 48617 404ece SetEvent CloseHandle 48614->48617 48618 420d31 3 API calls 48616->48618 48617->48611 48619 404e9b SetEvent WaitForSingleObject 48618->48619 48620 420d31 3 API calls 48619->48620 48621 404eb3 SetEvent CloseHandle CloseHandle 48620->48621 48621->48617 48622->47869 48623->47869 48625->47869 48626->47869 48627->47869 48628->47869 48629->47898 48630->47898 48631->47898 48632->47898 48633->47898 48634->47898 48635->47898 48636->47898 48637->47898 48638->47898 48639->48525 48640->48532 48641->48540 48646 40515c 102 API calls 48643->48646 48645 405159 48646->48645 48647->48560 48649 41e7a2 48648->48649 48650 420d39 48648->48650 48651 41e7b0 48649->48651 48660 41d8ec DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48649->48660 48650->48551 48661 41e4d2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48651->48661 48654 41e7b7 48655->48582 48656->48594 48657->48592 48658->48563 48660->48651 48661->48654 48662->48614 48664->47938 48665->47963 48666->47962 48667->47952 48668->47957 48669->47964 48672 40f7fd 48670->48672 48671 413584 3 API calls 48671->48672 48672->48671 48673 40f82f 48672->48673 48674 40f8a1 48672->48674 48676 40f891 Sleep 48672->48676 48675 409097 28 API calls 48673->48675 48673->48676 48679 41bcef 28 API calls 48673->48679 48686 401f09 11 API calls 48673->48686 48688 402093 28 API calls 48673->48688 48692 4137aa 14 API calls 48673->48692 48703 40d0d1 112 API calls ___scrt_get_show_window_mode 48673->48703 48704 41384f 14 API calls 48673->48704 48677 409097 28 API calls 48674->48677 48675->48673 48676->48672 48680 40f8ac 48677->48680 48679->48673 48681 41bcef 28 API calls 48680->48681 48682 40f8b8 48681->48682 48705 41384f 14 API calls 48682->48705 48685 40f8cb 48687 401f09 11 API calls 48685->48687 48686->48673 48689 40f8d7 48687->48689 48688->48673 48690 402093 28 API calls 48689->48690 48691 40f8e8 48690->48691 48693 4137aa 14 API calls 48691->48693 48692->48673 48694 40f8fb 48693->48694 48706 41288b TerminateProcess WaitForSingleObject 48694->48706 48696 40f903 ExitProcess 48707 412829 62 API calls 48697->48707 48704->48673 48705->48685 48706->48696 48708 42f97e 48709 42f989 48708->48709 48710 42f99d 48709->48710 48712 432f7f 48709->48712 48713 432f8a 48712->48713 48714 432f8e 48712->48714 48713->48710 48716 440f5d 48714->48716 48717 446206 48716->48717 48718 446213 48717->48718 48719 44621e 48717->48719 48720 4461b8 ___crtLCMapStringA 21 API calls 48718->48720 48721 446226 48719->48721 48727 44622f __Getctype 48719->48727 48726 44621b 48720->48726 48729 446802 20 API calls __dosmaperr 48721->48729 48722 446234 48730 44062d 20 API calls _abort 48722->48730 48723 446259 RtlReAllocateHeap 48723->48726 48723->48727 48726->48713 48727->48722 48727->48723 48731 443001 7 API calls 2 library calls 48727->48731 48729->48726 48730->48726 48731->48727 48732 426cdc 48737 426d59 send 48732->48737 48738 41e04e 48739 41e063 _Yarn ___scrt_get_show_window_mode 48738->48739 48741 432f55 21 API calls 48739->48741 48751 41e266 48739->48751 48745 41e213 ___scrt_get_show_window_mode 48741->48745 48742 41e277 48743 41e21a 48742->48743 48753 432f55 48742->48753 48745->48743 48746 432f55 21 API calls 48745->48746 48749 41e240 ___scrt_get_show_window_mode 48746->48749 48747 41e2b0 ___scrt_get_show_window_mode 48747->48743 48758 4335db 48747->48758 48749->48743 48750 432f55 21 API calls 48749->48750 48750->48751 48751->48743 48752 41dbf3 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_get_show_window_mode 48751->48752 48752->48742 48754 432f63 48753->48754 48755 432f5f 48753->48755 48756 43bda0 _Yarn 21 API calls 48754->48756 48755->48747 48757 432f68 48756->48757 48757->48747 48761 4334fa 48758->48761 48760 4335e3 48760->48743 48762 433513 48761->48762 48766 433509 48761->48766 48763 432f55 21 API calls 48762->48763 48762->48766 48764 433534 48763->48764 48764->48766 48767 4338c8 CryptAcquireContextA 48764->48767 48766->48760 48768 4338e4 48767->48768 48769 4338e9 CryptGenRandom 48767->48769 48768->48766 48769->48768 48770 4338fe CryptReleaseContext 48769->48770 48770->48768 48771 426c6d 48777 426d42 recv 48771->48777

                                        Executed Functions

                                        Function 0041CBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                        • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                        • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                        • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                        • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                        • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                        • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                        • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                        • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                        • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                        • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                        • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                        • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD17
                                        • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040EA1C), ref: 0041CD28
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD2B
                                        • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040EA1C), ref: 0041CD38
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD3B
                                        • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040EA1C), ref: 0041CD48
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD4B
                                        • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040EA1C), ref: 0041CD5D
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD60
                                        • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040EA1C), ref: 0041CD6D
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD70
                                        • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040EA1C), ref: 0041CD81
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD84
                                        • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040EA1C), ref: 0041CD95
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CD98
                                        • LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,?,?,0040EA1C), ref: 0041CDAA
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CDAD
                                        • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040EA1C), ref: 0041CDBA
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CDBD
                                        • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040EA1C), ref: 0041CDCA
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CDCD
                                        • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040EA1C), ref: 0041CDDA
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041CDDD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$LibraryLoad$HandleModule
                                        • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                        • API String ID: 4236061018-3687161714
                                        • Opcode ID: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                        • Instruction ID: 87b5fa294a9840a4da0a94e675c49188b16ea4214af7843bc20054d8537ab592
                                        • Opcode Fuzzy Hash: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                        • Instruction Fuzzy Hash: 06419AA0E8035879DA107BB65D8DE3B3E5CD9857953614837B05C93550FBBCDC408EAE
                                        Function 0040EA00 Relevance: 88.3, APIs: 15, Strings: 35, Instructions: 795COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 5 40ea00-40ea82 call 41cbe1 GetModuleFileNameW call 40f3fe call 4020f6 * 2 call 41beac call 40fb52 call 401e8d call 43fd50 22 40ea84-40eac9 call 40fbee call 401e65 call 401fab call 410f72 call 40fb9f call 40f3eb 5->22 23 40eace-40eb96 call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->23 49 40ef2d-40ef3e call 401fd8 22->49 69 40eb98-40ebe3 call 406c59 call 401fe2 call 401fd8 call 401fab call 413584 23->69 70 40ebe9-40ec04 call 401e65 call 40b9f8 23->70 69->70 100 40f38a-40f3a5 call 401fab call 4139e4 call 4124b0 69->100 79 40ec06-40ec25 call 401fab call 413584 70->79 80 40ec3e-40ec45 call 40d0a4 70->80 79->80 99 40ec27-40ec3d call 401fab call 4139e4 79->99 88 40ec47-40ec49 80->88 89 40ec4e-40ec55 80->89 93 40ef2c 88->93 94 40ec57 89->94 95 40ec59-40ec65 call 41b354 89->95 93->49 94->95 104 40ec67-40ec69 95->104 105 40ec6e-40ec72 95->105 99->80 126 40f3aa-40f3db call 41bcef call 401f04 call 413a5e call 401f09 * 2 100->126 104->105 108 40ecb1-40ecc4 call 401e65 call 401fab 105->108 109 40ec74 call 407751 105->109 127 40ecc6 call 407790 108->127 128 40eccb-40ed53 call 401e65 call 41bcef call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->128 117 40ec79-40ec7b 109->117 120 40ec87-40ec9a call 401e65 call 401fab 117->120 121 40ec7d-40ec82 call 407773 call 40729b 117->121 120->108 141 40ec9c-40eca2 120->141 121->120 156 40f3e0-40f3ea call 40dd7d call 414f65 126->156 127->128 177 40ed55-40ed6e call 401e65 call 401fab call 43bb56 128->177 178 40edbb-40edbf 128->178 141->108 144 40eca4-40ecaa 141->144 144->108 147 40ecac call 40729b 144->147 147->108 177->178 204 40ed70-40edb6 call 401e65 call 401fab call 401e65 call 401fab call 40da6f call 401f13 call 401f09 177->204 180 40ef41-40efa1 call 436f10 call 40247c call 401fab * 2 call 413733 call 409092 178->180 181 40edc5-40edcc 178->181 234 40efa6-40effa call 401e65 call 401fab call 402093 call 401fab call 4137aa call 401e65 call 401fab call 43bb2c 180->234 183 40ee4a-40ee54 call 409092 181->183 184 40edce-40ee48 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40ce34 181->184 190 40ee59-40ee7d call 40247c call 434829 183->190 184->190 211 40ee8c 190->211 212 40ee7f-40ee8a call 436f10 190->212 204->178 217 40ee8e-40eed9 call 401f04 call 43f859 call 40247c call 401fab call 40247c call 401fab call 413982 211->217 212->217 272 40eede-40ef03 call 434832 call 401e65 call 40b9f8 217->272 286 40f017-40f019 234->286 287 40effc 234->287 272->234 288 40ef09-40ef28 call 401e65 call 41bcef call 40f4af 272->288 290 40f01b-40f01d 286->290 291 40f01f 286->291 289 40effe-40f015 call 41ce2c CreateThread 287->289 288->234 306 40ef2a 288->306 295 40f025-40f101 call 402093 * 2 call 41b580 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409e1f call 401e65 call 401fab 289->295 290->289 291->295 344 40f103-40f13a call 43455e call 401e65 call 401fab CreateThread 295->344 345 40f13c 295->345 306->93 346 40f13e-40f156 call 401e65 call 401fab 344->346 345->346 357 40f194-40f1a7 call 401e65 call 401fab 346->357 358 40f158-40f18f call 43455e call 401e65 call 401fab CreateThread 346->358 367 40f207-40f21a call 401e65 call 401fab 357->367 368 40f1a9-40f202 call 401e65 call 401fab call 401e65 call 401fab call 40da23 call 401f13 call 401f09 CreateThread 357->368 358->357 379 40f255-40f279 call 41b69e call 401f13 call 401f09 367->379 380 40f21c-40f250 call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 40c19d 367->380 368->367 400 40f27b-40f27c SetProcessDEPPolicy 379->400 401 40f27e-40f291 CreateThread 379->401 380->379 400->401 405 40f293-40f29d CreateThread 401->405 406 40f29f-40f2a6 401->406 405->406 410 40f2b4-40f2bb 406->410 411 40f2a8-40f2b2 CreateThread 406->411 412 40f2c9 410->412 413 40f2bd-40f2c0 410->413 411->410 418 40f2ce-40f302 call 402093 call 4052fd call 402093 call 41b580 call 401fd8 412->418 415 40f2c2-40f2c7 413->415 416 40f307-40f31a call 401fab call 41353a 413->416 415->418 425 40f31f-40f322 416->425 418->416 425->156 427 40f328-40f368 call 41bcef call 401f04 call 413656 call 401f09 call 401f04 425->427 443 40f381-40f386 DeleteFileW 427->443 444 40f388 443->444 445 40f36a-40f36d 443->445 444->126 445->126 446 40f36f-40f37c Sleep call 401f04 445->446 446->443
                                        APIs
                                          • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                          • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                          • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                          • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                          • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                          • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                          • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                          • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                          • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                          • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                          • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                          • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                          • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                          • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                          • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                          • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\ZZ.exe,00000104), ref: 0040EA29
                                          • Part of subcall function 00410F72: __EH_prolog.LIBCMT ref: 00410F77
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                        • String ID: ,aF$,aF$Access Level: $Administrator$C:\Users\user\Desktop\ZZ.exe$Exe$Exe$Inj$PSG$Remcos Agent initialized$Rmc-EIENFE$Software\$User$`#l$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                        • API String ID: 2830904901-416019610
                                        • Opcode ID: 49431b8dd783423accf16740c7d71729371280868a66773ebf6fb8fdb646c024
                                        • Instruction ID: f870588dacc207cf398a21a9077505b2b75b96970711a81e27f166ce8512e3fa
                                        • Opcode Fuzzy Hash: 49431b8dd783423accf16740c7d71729371280868a66773ebf6fb8fdb646c024
                                        • Instruction Fuzzy Hash: 9B32F960B043412BDA24B7729C57B7E26994F80748F50483FB9467B2E3EEBC8D45839E
                                        Function 0040A2F3 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 63windowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1277 40a2f3-40a30a 1278 40a30c-40a326 SetWindowsHookExA 1277->1278 1279 40a36e-40a37e GetMessageA 1277->1279 1278->1279 1284 40a328-40a36c GetLastError call 41bc1f call 4052fd call 402093 call 41b580 call 401fd8 1278->1284 1280 40a380-40a398 TranslateMessage DispatchMessageA 1279->1280 1281 40a39a 1279->1281 1280->1279 1280->1281 1282 40a39c-40a3a1 1281->1282 1284->1282
                                        APIs
                                        • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A30E
                                        • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0040A31C
                                        • GetLastError.KERNEL32 ref: 0040A328
                                          • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A376
                                        • TranslateMessage.USER32(?), ref: 0040A385
                                        • DispatchMessageA.USER32(?), ref: 0040A390
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                        • String ID: Keylogger initialization failure: error $`Wu
                                        • API String ID: 3219506041-303027793
                                        • Opcode ID: 90b0715fe4a03c7950091ea493cf6ac8be3b9c9bd1286eec6a190886210d1988
                                        • Instruction ID: 8743f2250fb8cae6a99ae5fb3d4b34fe2baf279f6720e4878f05ffc9670b3ffc
                                        • Opcode Fuzzy Hash: 90b0715fe4a03c7950091ea493cf6ac8be3b9c9bd1286eec6a190886210d1988
                                        • Instruction Fuzzy Hash: 6011BF31510301EBC710BB769D0986B77ACEA95715B20097EFC82E22D1EB34C910CBAA
                                        Function 0040F7E2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 00413584: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                          • Part of subcall function 00413584: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004752F0), ref: 004135C2
                                          • Part of subcall function 00413584: RegCloseKey.KERNEL32(?), ref: 004135CD
                                        • Sleep.KERNEL32(00000BB8), ref: 0040F896
                                        • ExitProcess.KERNEL32 ref: 0040F905
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseExitOpenProcessQuerySleepValue
                                        • String ID: 5.1.2 Pro$override$pth_unenc
                                        • API String ID: 2281282204-3554326054
                                        • Opcode ID: 63a879446c8ff419ef4e70c844bd481c765728b91b26e4cfc9b1ce748e39a5f9
                                        • Instruction ID: d275b5d15c9ff05a0ec0da3c9587874d7690dc7fa5d0ec02d6e8a4ede61593ab
                                        • Opcode Fuzzy Hash: 63a879446c8ff419ef4e70c844bd481c765728b91b26e4cfc9b1ce748e39a5f9
                                        • Instruction Fuzzy Hash: 5921E171B0420127D6087676885B6AE399A9B80708F50453FF409672D7FF7C8E0483AF
                                        Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1427 404f51-404f5f 1428 404f65-404f6c 1427->1428 1429 404fea 1427->1429 1431 404f74-404f7b 1428->1431 1432 404f6e-404f72 1428->1432 1430 404fec-404ff1 1429->1430 1433 404fc0-404fe8 CreateEventA CreateThread 1431->1433 1434 404f7d-404fbb GetLocalTime call 41bc1f call 4052fd call 402093 call 41b580 call 401fd8 1431->1434 1432->1433 1433->1430 1434->1433
                                        APIs
                                        • GetLocalTime.KERNEL32(?), ref: 00404F81
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FCD
                                        • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                                        Strings
                                        • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Create$EventLocalThreadTime
                                        • String ID: KeepAlive | Enabled | Timeout:
                                        • API String ID: 2532271599-1507639952
                                        • Opcode ID: d6bdf093f7aea2e5024bc4ba9810f3b5686ab9589db354a71a8a5fd0b8ad62b9
                                        • Instruction ID: 41fa32a9fb91b1633a7afb8999ae97baef60c60c8d6252053b050d354fdafbcf
                                        • Opcode Fuzzy Hash: d6bdf093f7aea2e5024bc4ba9810f3b5686ab9589db354a71a8a5fd0b8ad62b9
                                        • Instruction Fuzzy Hash: 82110A71800385BAC720A7779C0DEAB7FACDBD2714F04046FF54162291D6B89445CBBA
                                        Function 004338C8 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00433550,00000034,?,?,006E9490), ref: 004338DA
                                        • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000), ref: 004338F0
                                        • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000,0041E2E2), ref: 00433902
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Crypt$Context$AcquireRandomRelease
                                        • String ID:
                                        • API String ID: 1815803762-0
                                        • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                        • Instruction ID: d68cd6f5f98cbfa2ab0450769c499d20ea76a36e668e3df749659bd42d9a4b78
                                        • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                        • Instruction Fuzzy Hash: 40E09A31208310FBEB301F21AC08F573AA5EF89B66F200A3AF256E40E4D6A68801965C
                                        Function 0041B69E Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetComputerNameExW.KERNEL32(00000001,?,0000002B,004750E4), ref: 0041B6BB
                                        • GetUserNameW.ADVAPI32(?,0040F25E), ref: 0041B6D3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Name$ComputerUser
                                        • String ID:
                                        • API String ID: 4229901323-0
                                        • Opcode ID: 2a75debd1ac83804218ef8ff91a3dd31c7e5d47f43b5da7d436b4f8c80832694
                                        • Instruction ID: 8360233331794fbd8bccde093e114755ab2a7c2896376219b9d5f45c8fb32f7b
                                        • Opcode Fuzzy Hash: 2a75debd1ac83804218ef8ff91a3dd31c7e5d47f43b5da7d436b4f8c80832694
                                        • Instruction Fuzzy Hash: 90014F7190011CABCB01EBD1DC45EEDB7BCAF44309F10016AB505B21A1EFB46E88CBA8
                                        Function 00426D42 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: recv
                                        • String ID:
                                        • API String ID: 1507349165-0
                                        • Opcode ID: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                        • Instruction ID: c63eaffdb417a6470c671315a396a42075a312041b5b8b5670d44767818a4bbd
                                        • Opcode Fuzzy Hash: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                        • Instruction Fuzzy Hash: 26B09279108202FFCA150B60CC0886ABEA6ABC8382B00882DB586411B0C736C851AB26
                                        Function 00414F65 Relevance: 51.6, APIs: 5, Strings: 24, Instructions: 809sleepnetworkCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 448 414f65-414fad call 4020df call 41b944 call 4020df call 401e65 call 401fab call 43bb2c 461 414fbc-415008 call 402093 call 401e65 call 4020f6 call 41beac call 40489e call 401e65 call 40b9f8 448->461 462 414faf-414fb6 Sleep 448->462 477 41500a-415079 call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 461->477 478 41507c-415117 call 402093 call 401e65 call 4020f6 call 41beac call 401e65 * 2 call 406c59 call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 461->478 462->461 477->478 531 415127-41512e 478->531 532 415119-415125 478->532 533 415133-4151c5 call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414f24 531->533 532->533 560 415210-41521e call 40482d 533->560 561 4151c7-41520b WSAGetLastError call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 533->561 566 415220-415246 call 402093 * 2 call 41b580 560->566 567 41524b-415259 call 404f51 call 4048c8 560->567 582 415ade-415af0 call 404e26 call 4021fa 561->582 566->582 578 41525e-415260 567->578 581 415266-4153b9 call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 4 call 41b871 call 4145f8 call 409097 call 441ed1 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 413733 578->581 578->582 648 4153bb-4153c8 call 405aa6 581->648 649 4153cd-4153f4 call 401fab call 4135e1 581->649 597 415af2-415b12 call 401e65 call 401fab call 43bb2c Sleep 582->597 598 415b18-415b20 call 401e8d 582->598 597->598 598->478 648->649 655 4153f6-4153f8 649->655 656 4153fb-415a51 call 40417e call 40ddc4 call 41bcd3 call 41bdaf call 41bc1f call 401e65 GetTickCount call 41bc1f call 41bb77 call 41bc1f * 2 call 41bb27 call 41bdaf * 5 call 40f90c call 41bdaf call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 call 404aa1 call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 649->656 655->656 902 415a53-415a5a 656->902 903 415a65-415a6c 656->903 902->903 904 415a5c-415a5e 902->904 905 415a78-415aaa call 405a6b call 402093 * 2 call 41b580 903->905 906 415a6e-415a73 call 40b08c 903->906 904->903 917 415aac-415ab8 CreateThread 905->917 918 415abe-415ad9 call 401fd8 * 2 call 401f09 905->918 906->905 917->918 918->582
                                        APIs
                                        • Sleep.KERNEL32(00000000,00000029,004752F0,004750E4,00000000), ref: 00414FB6
                                        • WSAGetLastError.WS2_32(00000000,00000001), ref: 004151C7
                                        • Sleep.KERNEL32(00000000,00000002), ref: 00415B12
                                          • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Sleep$ErrorLastLocalTime
                                        • String ID: | $%I64u$,aF$5.1.2 Pro$C:\Users\user\Desktop\ZZ.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$PSG$Rmc-EIENFE$TLS Off$TLS On $`#l$dMG$hlight$name$NG$NG$PG$PG$PG
                                        • API String ID: 524882891-3599512888
                                        • Opcode ID: 17b944b1b835277ad5605e6f7f563df8fce4a85f4fa63bc7f229c9f4c273a99b
                                        • Instruction ID: 9dea7478a43989413a8a7de35667e348ffff56bc780dedce428272fd6db975fd
                                        • Opcode Fuzzy Hash: 17b944b1b835277ad5605e6f7f563df8fce4a85f4fa63bc7f229c9f4c273a99b
                                        • Instruction Fuzzy Hash: B8526C31A001155ACB18F732DD96AFEB3769F90348F5044BFE40A761E2EF781E858A9D
                                        Function 0040A761 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • Sleep.KERNEL32(00001388), ref: 0040A77B
                                          • Part of subcall function 0040A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                          • Part of subcall function 0040A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                          • Part of subcall function 0040A6B0: Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                          • Part of subcall function 0040A6B0: CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A7B7
                                        • GetFileAttributesW.KERNEL32(00000000), ref: 0040A7C8
                                        • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7DF
                                        • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A859
                                          • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                        • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A962
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                        • String ID: `#l$pQG$pQG$xdF$PG$PG
                                        • API String ID: 3795512280-606300346
                                        • Opcode ID: db686e10471e88e88e6c2a6410797b3bbe7a67903047043a717f9aa792139144
                                        • Instruction ID: 2a79d88b44a8fc0b04dcb000ea34af81e4c48788ca5147296d011aa32960a087
                                        • Opcode Fuzzy Hash: db686e10471e88e88e6c2a6410797b3bbe7a67903047043a717f9aa792139144
                                        • Instruction Fuzzy Hash: B6516E716043015ACB15BB72C866ABE77AA9F80349F00483FF646B71E2DF7C9D09865E
                                        Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1023 4048c8-4048e8 connect 1024 404a1b-404a1f 1023->1024 1025 4048ee-4048f1 1023->1025 1028 404a21-404a2f WSAGetLastError 1024->1028 1029 404a97 1024->1029 1026 404a17-404a19 1025->1026 1027 4048f7-4048fa 1025->1027 1030 404a99-404a9e 1026->1030 1031 404926-404930 call 420cf1 1027->1031 1032 4048fc-404923 call 40531e call 402093 call 41b580 1027->1032 1028->1029 1033 404a31-404a34 1028->1033 1029->1030 1045 404941-40494e call 420f20 1031->1045 1046 404932-40493c 1031->1046 1032->1031 1035 404a71-404a76 1033->1035 1036 404a36-404a6f call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 1033->1036 1038 404a7b-404a94 call 402093 * 2 call 41b580 1035->1038 1036->1029 1038->1029 1058 404950-404973 call 402093 * 2 call 41b580 1045->1058 1059 404987-404992 call 421ad1 1045->1059 1046->1038 1085 404976-404982 call 420d31 1058->1085 1070 4049c4-4049d1 call 420e97 1059->1070 1071 404994-4049c2 call 402093 * 2 call 41b580 call 421143 1059->1071 1081 4049d3-4049f6 call 402093 * 2 call 41b580 1070->1081 1082 4049f9-404a14 CreateEventW * 2 1070->1082 1071->1085 1081->1082 1082->1026 1085->1029
                                        APIs
                                        • connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                        • WSAGetLastError.WS2_32 ref: 00404A21
                                          • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                        • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                        • API String ID: 994465650-2151626615
                                        • Opcode ID: 7adcd97a12df77eb00c978c8fa497ed471b838c2edee9eb12bf68db0be483499
                                        • Instruction ID: 8b7d3ad86a52f8452b0ebae4faff6649d271d562dba2871a89d137605d3bb54b
                                        • Opcode Fuzzy Hash: 7adcd97a12df77eb00c978c8fa497ed471b838c2edee9eb12bf68db0be483499
                                        • Instruction Fuzzy Hash: CE41E8B57506017BC61877BB890B52E7A56AB81308B50017FEA0256AD3FA7D9C108BEF
                                        Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                        • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                        • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                        • closesocket.WS2_32(000000FF), ref: 00404E5A
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBF
                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EC4
                                        • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                                        • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                        • String ID:
                                        • API String ID: 3658366068-0
                                        • Opcode ID: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                        • Instruction ID: 681aebbacbf541c1c6cd6dfca6fba55586e42b113d9ea1c0d4e3a90daa9851ad
                                        • Opcode Fuzzy Hash: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                        • Instruction Fuzzy Hash: DE21EA71154B04AFDB216B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB79B851DB58
                                        Function 0040AD11 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 0040AD73
                                        • Sleep.KERNEL32(000001F4), ref: 0040AD7E
                                        • GetForegroundWindow.USER32 ref: 0040AD84
                                        • GetWindowTextLengthW.USER32(00000000), ref: 0040AD8D
                                        • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040ADC1
                                        • Sleep.KERNEL32(000003E8), ref: 0040AE8F
                                          • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                        • String ID: [${ User has been idle for $ minutes }$]
                                        • API String ID: 911427763-3954389425
                                        • Opcode ID: 9c0ea1497b002db213ca3d4c258de7d47da5450525101b72f9826710761d16ec
                                        • Instruction ID: 479ab846abdc3ffa357cf8cfb056c4a9d7a1c57035fbb5610920680a3dc8d5cf
                                        • Opcode Fuzzy Hash: 9c0ea1497b002db213ca3d4c258de7d47da5450525101b72f9826710761d16ec
                                        • Instruction Fuzzy Hash: 1251E2716043419BD714FB22D856AAE7795AF84308F10093FF986A22E2EF7C9D44C69F
                                        Function 0040DA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1195 40da6f-40da94 call 401f86 1198 40da9a 1195->1198 1199 40dbbe-40dbe4 call 401f04 GetLongPathNameW call 40417e 1195->1199 1201 40dae0-40dae7 call 41c048 1198->1201 1202 40daa1-40daa6 1198->1202 1203 40db93-40db98 1198->1203 1204 40dad6-40dadb 1198->1204 1205 40dba9 1198->1205 1206 40db9a-40db9f call 43c11f 1198->1206 1207 40daab-40dab9 call 41b645 call 401f13 1198->1207 1208 40dacc-40dad1 1198->1208 1209 40db8c-40db91 1198->1209 1222 40dbe9-40dc56 call 40417e call 40de0c call 402fa5 * 2 call 401f09 * 5 1199->1222 1223 40dae9-40db39 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1201->1223 1224 40db3b-40db87 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1201->1224 1211 40dbae-40dbb3 call 43c11f 1202->1211 1203->1211 1204->1211 1205->1211 1217 40dba4-40dba7 1206->1217 1226 40dabe 1207->1226 1208->1211 1209->1211 1225 40dbb4-40dbb9 call 409092 1211->1225 1217->1205 1217->1225 1231 40dac2-40dac7 call 401f09 1223->1231 1224->1226 1225->1199 1226->1231 1231->1199
                                        APIs
                                        • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DBD5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LongNamePath
                                        • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                        • API String ID: 82841172-425784914
                                        • Opcode ID: 27b408779815cc004e99ecfd0e182e1062e96e4c42aa95a1860903710c88a7ad
                                        • Instruction ID: db29472287e64cad03ac4489520097095d7cef5d056ecb8d0020da3553efca3c
                                        • Opcode Fuzzy Hash: 27b408779815cc004e99ecfd0e182e1062e96e4c42aa95a1860903710c88a7ad
                                        • Instruction Fuzzy Hash: 0A4151715082019AC205F765DC96CAAB7B8AE90758F10053FB146B20E2FFBCAE4DC65B
                                        Function 0041C482 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1295 41c482-41c493 1296 41c495-41c498 1295->1296 1297 41c4ab-41c4b2 1295->1297 1299 41c4a1-41c4a9 1296->1299 1300 41c49a-41c49f 1296->1300 1298 41c4b3-41c4cc CreateFileW 1297->1298 1301 41c4d2-41c4d7 1298->1301 1302 41c4ce-41c4d0 1298->1302 1299->1298 1300->1298 1304 41c4f2-41c503 WriteFile 1301->1304 1305 41c4d9-41c4e7 SetFilePointer 1301->1305 1303 41c510-41c515 1302->1303 1307 41c505 1304->1307 1308 41c507-41c50e CloseHandle 1304->1308 1305->1304 1306 41c4e9-41c4f0 CloseHandle 1305->1306 1306->1302 1307->1308 1308->1303
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C4DE
                                        • CloseHandle.KERNEL32(00000000), ref: 0041C4EA
                                        • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C4FB
                                        • CloseHandle.KERNEL32(00000000), ref: 0041C508
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseHandle$CreatePointerWrite
                                        • String ID: xpF
                                        • API String ID: 1852769593-354647465
                                        • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                        • Instruction ID: 0233a984b642d2e84dd4fc2cab076f06cd7f632185dc4648213adf39284592b7
                                        • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                        • Instruction Fuzzy Hash: 6311E571288215BFE7104A24ACC8EBB739CEB46365F10862BF912D22D0C624DC418639
                                        Function 0041B354 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1309 41b354-41b3ab call 41c048 call 4135e1 call 401fe2 call 401fd8 call 406b1c 1320 41b3ad-41b3bc call 4135e1 1309->1320 1321 41b3ee-41b3f7 1309->1321 1326 41b3c1-41b3d8 call 401fab StrToIntA 1320->1326 1322 41b400 1321->1322 1323 41b3f9-41b3fe 1321->1323 1325 41b405-41b410 call 40537d 1322->1325 1323->1325 1331 41b3e6-41b3e9 call 401fd8 1326->1331 1332 41b3da-41b3e3 call 41cffa 1326->1332 1331->1321 1332->1331
                                        APIs
                                          • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                          • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                          • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                          • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                          • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                        • StrToIntA.SHLWAPI(00000000,0046CA08,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0041B3CD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CloseCurrentOpenQueryValueWow64
                                        • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                        • API String ID: 782494840-2070987746
                                        • Opcode ID: 8c19a994082f4321bdc384a8b48a1832129d6d8eaa349cc43c026258e8294c9e
                                        • Instruction ID: f33cb4008a08c387480eb48f471200dcc92f04aa72c22424ac0a9b44a4c1d04d
                                        • Opcode Fuzzy Hash: 8c19a994082f4321bdc384a8b48a1832129d6d8eaa349cc43c026258e8294c9e
                                        • Instruction Fuzzy Hash: 8811C47064014926C704B7658C97EFE76198790344F94413BF806A61D3FB6C598683EE
                                        Function 0040A6B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1383 40a6b0-40a6c0 1384 40a6c6-40a6c8 1383->1384 1385 40a75d-40a760 1383->1385 1386 40a6cb-40a6f1 call 401f04 CreateFileW 1384->1386 1389 40a731 1386->1389 1390 40a6f3-40a701 GetFileSize 1386->1390 1391 40a734-40a738 1389->1391 1392 40a703 1390->1392 1393 40a728-40a72f CloseHandle 1390->1393 1391->1386 1394 40a73a-40a73d 1391->1394 1395 40a705-40a70b 1392->1395 1396 40a70d-40a714 1392->1396 1393->1391 1394->1385 1397 40a73f-40a746 1394->1397 1395->1393 1395->1396 1398 40a716-40a718 call 40b117 1396->1398 1399 40a71d-40a722 Sleep 1396->1399 1397->1385 1400 40a748-40a758 call 409097 call 40a1b4 1397->1400 1398->1399 1399->1393 1400->1385
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                        • Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                        • CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseCreateHandleSizeSleep
                                        • String ID: XQG
                                        • API String ID: 1958988193-3606453820
                                        • Opcode ID: 28ce54e323a61a7c7e3df4bf156f69a9efcaf564c436a4257aa778de296e5956
                                        • Instruction ID: fa029248b1ac628aedb802b18ed81a98d1a4018e107c0b234daa3009ae89debe
                                        • Opcode Fuzzy Hash: 28ce54e323a61a7c7e3df4bf156f69a9efcaf564c436a4257aa778de296e5956
                                        • Instruction Fuzzy Hash: 96110130600740AADA31A734988961F7BA9DB45356F44483EF1866B6D3C67DDC64C71F
                                        Function 0040A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • CreateThread.KERNEL32(00000000,00000000,0040A2B8,?,00000000,00000000), ref: 0040A239
                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040A249
                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040A255
                                          • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                          • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateThread$LocalTimewsprintf
                                        • String ID: Offline Keylogger Started
                                        • API String ID: 465354869-4114347211
                                        • Opcode ID: c7934c326ef2b1dcecdff176d04098d35d6efa8e09e0995c368ff86506386951
                                        • Instruction ID: fa9a7328340dc7f48b0d085764b542104813bfc3ea66268f7111ac5d0199d402
                                        • Opcode Fuzzy Hash: c7934c326ef2b1dcecdff176d04098d35d6efa8e09e0995c368ff86506386951
                                        • Instruction Fuzzy Hash: 1111ABB12003187ED210BB368C87CBB765DDA4139CB40057FF946221C2EA795D14CAFB
                                        Function 004137AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                        • RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000,004752F0,?,?,0040F88E,004674C8,5.1.2 Pro), ref: 004137E1
                                        • RegCloseKey.KERNEL32(?,?,?,0040F88E,004674C8,5.1.2 Pro), ref: 004137EC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseCreateValue
                                        • String ID: pth_unenc
                                        • API String ID: 1818849710-4028850238
                                        • Opcode ID: 04dffd27395d5cb7a301fd27aaace46d1b2beb75a59ed872a5e7c8f8e25a915c
                                        • Instruction ID: b09b06e14e5a963f4ed757ac8f346f2723baee7be417271cc0de3610a50c6458
                                        • Opcode Fuzzy Hash: 04dffd27395d5cb7a301fd27aaace46d1b2beb75a59ed872a5e7c8f8e25a915c
                                        • Instruction Fuzzy Hash: A4F06272500218FBDF00AFA1DC45DEA376CEF04751F108566FD1AA61A1DB359E14DB54
                                        Function 0040D0A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0040D0B3
                                        • GetLastError.KERNEL32 ref: 0040D0BE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateErrorLastMutex
                                        • String ID: Rmc-EIENFE
                                        • API String ID: 1925916568-2137281354
                                        • Opcode ID: eabddf02165d7cb7ab60b975d5c9d75332e346c4e6257b5baf50d4a4f7034b19
                                        • Instruction ID: 57749e379dff282fb0cfe370275dd79dddcb706c5168e3a31171962593876721
                                        • Opcode Fuzzy Hash: eabddf02165d7cb7ab60b975d5c9d75332e346c4e6257b5baf50d4a4f7034b19
                                        • Instruction Fuzzy Hash: 0DD012B0605700EBDB186770ED5975839559744702F40487AB50FD99F1CBBC88908519
                                        Function 004135E1 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                        • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                        • RegCloseKey.KERNEL32(?), ref: 0041362D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpenQueryValue
                                        • String ID:
                                        • API String ID: 3677997916-0
                                        • Opcode ID: e5c88bf4778b1a12960ae4c3b265923e79f6a7b3b3cce25859afcc872f091df0
                                        • Instruction ID: 0661f39b514c0023b6096d8878825bbc81d19e8e8981dfb5b132c5fecbfe39b6
                                        • Opcode Fuzzy Hash: e5c88bf4778b1a12960ae4c3b265923e79f6a7b3b3cce25859afcc872f091df0
                                        • Instruction Fuzzy Hash: 4A01D676900228FBCB209B91DC08DEF7F7DDB44B51F004066BB05A2240DA748E45DBA4
                                        Function 0044F45D Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetEnvironmentStringsW.KERNEL32 ref: 0044F461
                                        • _free.LIBCMT ref: 0044F49A
                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F4A1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: EnvironmentStrings$Free_free
                                        • String ID:
                                        • API String ID: 2716640707-0
                                        • Opcode ID: 529e42a1fa36a4ac6123fcdb0dfb42304a8dc5a6142a13bb334c2dd4b346bc22
                                        • Instruction ID: 0fde98e0ac238faa149cd6f420f555edc5ad685e5938876998fddc3cfa248eb7
                                        • Opcode Fuzzy Hash: 529e42a1fa36a4ac6123fcdb0dfb42304a8dc5a6142a13bb334c2dd4b346bc22
                                        • Instruction Fuzzy Hash: 41E0E537545A226BB211323A6C49D6F2A58CFD27B6726003BF40486242EE288D0641BA
                                        Function 00413584 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                        • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004752F0), ref: 004135C2
                                        • RegCloseKey.KERNEL32(?), ref: 004135CD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpenQueryValue
                                        • String ID:
                                        • API String ID: 3677997916-0
                                        • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                        • Instruction ID: 3ea041f737baa467864e73cd7e114674dd940ed34319bd14b5ec79364d8ab256
                                        • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                        • Instruction Fuzzy Hash: 39F01D76900218FFDF109FA09C45FEE7BBDEB04B11F1044A5BA04E6191D6359F549B94
                                        Function 0041353A Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040C1D7,00466C58), ref: 00413551
                                        • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040C1D7,00466C58), ref: 00413565
                                        • RegCloseKey.KERNEL32(?,?,?,0040C1D7,00466C58), ref: 00413570
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpenQueryValue
                                        • String ID:
                                        • API String ID: 3677997916-0
                                        • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                        • Instruction ID: 960a54a16a1ccd4152458ec6927d20d37e2092670a33f2d7c306b576a706ad25
                                        • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                        • Instruction Fuzzy Hash: 23E06532801238FBDF204FA29C0DDEB7F6CDF06BA1B000155BD0CA1111D2258E50E6E4
                                        Function 004138B2 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                        • RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                        • RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseCreateValue
                                        • String ID:
                                        • API String ID: 1818849710-0
                                        • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                        • Instruction ID: 04d77b696783773a8a307df6842786532c8303179302b097fa31242bc3118ae5
                                        • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                        • Instruction Fuzzy Hash: 1EE06D72500318FBDF109FA0DC06FEA7BACEF04B62F104565BF09A6191D6358E14E7A8
                                        Function 00409E1F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _wcslen
                                        • String ID: pQG
                                        • API String ID: 176396367-3769108836
                                        • Opcode ID: 2909f1be4624e20aefd95f70af1697863fb55ab0ff45cf84c0a49d4b96723009
                                        • Instruction ID: e26466b944e621eef81fbe5db30e3e3b172770e45cde188e8c087a2518f8d89f
                                        • Opcode Fuzzy Hash: 2909f1be4624e20aefd95f70af1697863fb55ab0ff45cf84c0a49d4b96723009
                                        • Instruction Fuzzy Hash: 631181319002059BCB15EF66E852AEF7BB4AF54314B10413FF446A62E2EF78AD15CB98
                                        Function 00446206 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 00446227
                                          • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                        • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?,0000000F,00000000,00432F93,00000000,0000000F,0042F99D,?,?,00431A44,?,?,00000000), ref: 00446263
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocateHeap$_free
                                        • String ID:
                                        • API String ID: 1482568997-0
                                        • Opcode ID: b157f1fc507fc560bd00b565224a750c722b28025775eaa04a87fd2772ac9c2e
                                        • Instruction ID: 528349031ecf72c594af6ac828cc426c74ce8c7b4bfa82022820746e0f177899
                                        • Opcode Fuzzy Hash: b157f1fc507fc560bd00b565224a750c722b28025775eaa04a87fd2772ac9c2e
                                        • Instruction Fuzzy Hash: 4CF0283110121176BB213B266C01B6B3759AF83B70B1700ABFC1466281CFBCCC41406F
                                        Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • socket.WS2_32(?,00000001,00000006), ref: 00404852
                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                                          • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateEventStartupsocket
                                        • String ID:
                                        • API String ID: 1953588214-0
                                        • Opcode ID: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                                        • Instruction ID: ed99eca956a2b7a9b5891d615cc725ddac26720bb1770143763ad27df005c20f
                                        • Opcode Fuzzy Hash: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                                        • Instruction Fuzzy Hash: 760171B1408B809ED7359F38A8456877FE0AB55304F048D6EF1DA97B91D3B5A881CB18
                                        Function 00414F24 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • getaddrinfo.WS2_32(00000000,00000000,00000000,00472ADC,004750E4,00000000,004151C3,00000000,00000001), ref: 00414F46
                                        • WSASetLastError.WS2_32(00000000), ref: 00414F4B
                                          • Part of subcall function 00414DC1: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                          • Part of subcall function 00414DC1: LoadLibraryA.KERNEL32(?), ref: 00414E52
                                          • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                          • Part of subcall function 00414DC1: FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                          • Part of subcall function 00414DC1: LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                          • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                          • Part of subcall function 00414DC1: FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                          • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                        • String ID:
                                        • API String ID: 1170566393-0
                                        • Opcode ID: 63e6a57adcb3e9d376df8b1f7a36805de8af56205c6b0d3f673684859221182d
                                        • Instruction ID: 64a5677b7ab27dcaa32d5743096e05a6e92bfc5102e3e8065abb212a99eff034
                                        • Opcode Fuzzy Hash: 63e6a57adcb3e9d376df8b1f7a36805de8af56205c6b0d3f673684859221182d
                                        • Instruction Fuzzy Hash: 23D017322005316BD320A769AC00AEBAA9EDFD6760B12003BBD08D2251DA949C8286E8
                                        Function 004461B8 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                        • Instruction ID: 139fbca062bb8bf671a891d82c3cf8fc988f9ce198a1a8b78c24da0334343556
                                        • Opcode Fuzzy Hash: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                        • Instruction Fuzzy Hash: CEE0E531A0021267F6312A269C01B5B76599B437A0F170137AD15922D2CE6CCD0181EF
                                        Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Startup
                                        • String ID:
                                        • API String ID: 724789610-0
                                        • Opcode ID: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                                        • Instruction ID: 97c3e6bab4f4407137ad71e204409d8be70fba83985c90e8682379c152a4c00d
                                        • Opcode Fuzzy Hash: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                                        • Instruction Fuzzy Hash: 92D0123255C70C8EE620ABB4AD0F8A4775CC317616F0007BA6CB5836D3E6405B1DC2AB
                                        Function 00426D59 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: send
                                        • String ID:
                                        • API String ID: 2809346765-0
                                        • Opcode ID: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                        • Instruction ID: 21703143275c54c82102de5c78eddca0fb0a16d203a0de67c7bd570fb3111ac2
                                        • Opcode Fuzzy Hash: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                        • Instruction Fuzzy Hash: 87B09B75108301FFD6150760CC0486A7D6597C8341F00491C718741170C635C8515725

                                        Non-executed Functions

                                        Function 00407CD2 Relevance: 46.3, APIs: 10, Strings: 16, Instructions: 835filesleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetEvent.KERNEL32(?,?), ref: 00407CF4
                                        • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407DC2
                                        • DeleteFileW.KERNEL32(00000000), ref: 00407DE4
                                          • Part of subcall function 0041C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C37D
                                          • Part of subcall function 0041C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3AD
                                          • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C402
                                          • Part of subcall function 0041C322: FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C463
                                          • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C46A
                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                          • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                          • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                          • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004081D2
                                        • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004082B3
                                        • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084FF
                                        • DeleteFileA.KERNEL32(?), ref: 0040868D
                                          • Part of subcall function 00408847: __EH_prolog.LIBCMT ref: 0040884C
                                          • Part of subcall function 00408847: FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                          • Part of subcall function 00408847: __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                          • Part of subcall function 00408847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                        • Sleep.KERNEL32(000007D0), ref: 00408733
                                        • StrToIntA.SHLWAPI(00000000,00000000), ref: 00408775
                                          • Part of subcall function 0041CA73: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                        • String ID: (PG$(aF$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                        • API String ID: 1067849700-414524693
                                        • Opcode ID: fc876e41b72d509e8154fd9ee22d13ec532505f20f9aff529124cedb1fde61f5
                                        • Instruction ID: f533dcafa702064eae222fc9ff54aa9327b172b3479e3db69e1c842a3252ef64
                                        • Opcode Fuzzy Hash: fc876e41b72d509e8154fd9ee22d13ec532505f20f9aff529124cedb1fde61f5
                                        • Instruction Fuzzy Hash: F04293716043016BC604FB76C9579AE77A9AF91348F80483FF542671E2EF7C9908879B
                                        Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 004056E6
                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                        • __Init_thread_footer.LIBCMT ref: 00405723
                                        • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660CC,00000000), ref: 004057B6
                                        • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                        • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                        • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                        • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                        • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                          • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                        • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660D0,00000062,004660B4), ref: 004059E4
                                        • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 004059FE
                                        • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                        • CloseHandle.KERNEL32 ref: 00405A23
                                        • CloseHandle.KERNEL32 ref: 00405A2B
                                        • CloseHandle.KERNEL32 ref: 00405A3D
                                        • CloseHandle.KERNEL32 ref: 00405A45
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                        • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                        • API String ID: 2994406822-18413064
                                        • Opcode ID: 8a058daa5e87d3f182b44868b89da68c74a294f22d62ea2036980ae8ede20df6
                                        • Instruction ID: feb7c3e087fbbfe745e3798ef664df189eb35a760580a6c3fca7c2e5343dee52
                                        • Opcode Fuzzy Hash: 8a058daa5e87d3f182b44868b89da68c74a294f22d62ea2036980ae8ede20df6
                                        • Instruction Fuzzy Hash: 1A91C271604604AFD711FB36ED42A6B369AEB84308F01443FF589A62E2DB7D9C448F6D
                                        Function 00412132 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcessId.KERNEL32 ref: 00412141
                                          • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                          • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                          • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                        • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412181
                                        • CloseHandle.KERNEL32(00000000), ref: 00412190
                                        • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 004121E6
                                        • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412455
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                        • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                        • API String ID: 3018269243-13974260
                                        • Opcode ID: 0bc6abb93a007a62e155aad46a945be6e257eeb2644a433d62495adb5594a49a
                                        • Instruction ID: f1b014459f2de55ad39b9ce4e2eab06dd530905b6b6ad57ecd0cf2e75cce6712
                                        • Opcode Fuzzy Hash: 0bc6abb93a007a62e155aad46a945be6e257eeb2644a433d62495adb5594a49a
                                        • Instruction Fuzzy Hash: B971A23160430167C614FB72CD579AE77A4AE94308F40097FF586A21E2FFBC9A49C69E
                                        Function 0040BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBEA
                                        • FindClose.KERNEL32(00000000), ref: 0040BC04
                                        • FindNextFileA.KERNEL32(00000000,?), ref: 0040BD27
                                        • FindClose.KERNEL32(00000000), ref: 0040BD4D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$CloseFile$FirstNext
                                        • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                        • API String ID: 1164774033-3681987949
                                        • Opcode ID: 6c639a8cbac5ca484f8773e9da93299d118512ec2cf8b834913427766c983489
                                        • Instruction ID: 8b0b2ff803da1d4b435a108118727fe7c74031c8ac088da8990f7d135a86af9b
                                        • Opcode Fuzzy Hash: 6c639a8cbac5ca484f8773e9da93299d118512ec2cf8b834913427766c983489
                                        • Instruction Fuzzy Hash: C7514F3190021A9ADB14FBB2DC56AEEB739AF10304F50057FF506721E2FF785A49CA99
                                        Function 004168FC Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 80clipboardmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenClipboard.USER32 ref: 004168FD
                                        • EmptyClipboard.USER32 ref: 0041690B
                                        • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041692B
                                        • GlobalLock.KERNEL32(00000000), ref: 00416934
                                        • GlobalUnlock.KERNEL32(00000000), ref: 0041696A
                                        • SetClipboardData.USER32(0000000D,00000000), ref: 00416973
                                        • CloseClipboard.USER32 ref: 00416990
                                        • OpenClipboard.USER32 ref: 00416997
                                        • GetClipboardData.USER32(0000000D), ref: 004169A7
                                        • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                        • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                        • CloseClipboard.USER32 ref: 004169BF
                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                        • String ID: !D@$xdF
                                        • API String ID: 3520204547-3540039394
                                        • Opcode ID: 5191756a023fad829b92f3fa5878b55421fcb75fc4cc2359890982a259b57d49
                                        • Instruction ID: 548dc4d81477911aad8e8b192ef25fd2d65b79b2884d290c2f7190e4363fe536
                                        • Opcode Fuzzy Hash: 5191756a023fad829b92f3fa5878b55421fcb75fc4cc2359890982a259b57d49
                                        • Instruction Fuzzy Hash: 23215171204301EBD714BB71DC5DAAE7AA9AF88746F00043EF946961E2EF3C8C45866A
                                        Function 0040F4AF Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 210processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,`#l), ref: 0040F4C9
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,`#l), ref: 0040F4F4
                                        • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F510
                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F58F
                                        • CloseHandle.KERNEL32(00000000,?,00000000,?,?,`#l), ref: 0040F59E
                                          • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                          • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                        • CloseHandle.KERNEL32(00000000,?,`#l), ref: 0040F6A9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                        • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$`#l$ieinstal.exe$ielowutil.exe$xdF$xdF
                                        • API String ID: 3756808967-2402398857
                                        • Opcode ID: c575ac8939463ca684cedb7c6906afd83d502d5e5bbe83c4c666d8f6a0325efa
                                        • Instruction ID: 73d50abc618c2a3d6a57d9d5b79267519347fdb4c989691d2635b3abfd1995a7
                                        • Opcode Fuzzy Hash: c575ac8939463ca684cedb7c6906afd83d502d5e5bbe83c4c666d8f6a0325efa
                                        • Instruction Fuzzy Hash: B5712E705083419AC724FB21D8959AEB7E4AF90348F40483FF586631E3EF79994DCB9A
                                        Function 0040BD72 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDEA
                                        • FindClose.KERNEL32(00000000), ref: 0040BE04
                                        • FindNextFileA.KERNEL32(00000000,?), ref: 0040BEC4
                                        • FindClose.KERNEL32(00000000), ref: 0040BEEA
                                        • FindClose.KERNEL32(00000000), ref: 0040BF0B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$Close$File$FirstNext
                                        • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                        • API String ID: 3527384056-432212279
                                        • Opcode ID: ac2c58898ed4881048f14169fe64a4f28670cbea93e3b81032ca527b9b506f8a
                                        • Instruction ID: 490896facf616f27299b965c2ba25c256be2621490ca3b25f990f1d956524bcc
                                        • Opcode Fuzzy Hash: ac2c58898ed4881048f14169fe64a4f28670cbea93e3b81032ca527b9b506f8a
                                        • Instruction Fuzzy Hash: E0417F3190021AAACB04F7B2DC5A9EE7769AF11704F50057FF506B21E2EF385A458A9D
                                        Function 0041330D Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413452
                                        • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413460
                                        • GetFileSize.KERNEL32(?,00000000), ref: 0041346D
                                        • UnmapViewOfFile.KERNEL32(00000000), ref: 0041348D
                                        • CloseHandle.KERNEL32(00000000), ref: 0041349A
                                        • CloseHandle.KERNEL32(?), ref: 004134A0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                        • String ID:
                                        • API String ID: 297527592-0
                                        • Opcode ID: 573418a06dd7c073e455918c82d17ef7f90be6d35999627a98a3222c49d03fc5
                                        • Instruction ID: 84c8eec30da1abd4ec43dfc3561b6153623c17c5959ee0fa3a13cc5c00e14cc2
                                        • Opcode Fuzzy Hash: 573418a06dd7c073e455918c82d17ef7f90be6d35999627a98a3222c49d03fc5
                                        • Instruction Fuzzy Hash: F041F331104301BBD7119F25EC49F6B3BACEFC9769F10052EF655D21A2DB38DA40866E
                                        Function 00419662 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 0$1$2$3$4$5$6$7$VG
                                        • API String ID: 0-1861860590
                                        • Opcode ID: fa5d28c5653a06ee74d606b0804547a39682ca64517b0fde9ecd30e9690a319d
                                        • Instruction ID: 7133b754bba813e7b371628f59950815dc208a5c28e1558ec9b3f3725e93ffbd
                                        • Opcode Fuzzy Hash: fa5d28c5653a06ee74d606b0804547a39682ca64517b0fde9ecd30e9690a319d
                                        • Instruction Fuzzy Hash: 9171E2709183019FD704EF21D862BAB7B94DF85710F00492FF5A26B2D1DE78AB49CB96
                                        Function 004167EF Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 97libraryloadershutdownCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0041798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                          • Part of subcall function 0041798D: OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                          • Part of subcall function 0041798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                          • Part of subcall function 0041798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                          • Part of subcall function 0041798D: GetLastError.KERNEL32 ref: 004179D8
                                        • ExitWindowsEx.USER32(00000000,00000001), ref: 00416891
                                        • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 004168A6
                                        • GetProcAddress.KERNEL32(00000000), ref: 004168AD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                        • String ID: !D@$$aF$(aF$,aF$PowrProf.dll$SetSuspendState
                                        • API String ID: 1589313981-3345310279
                                        • Opcode ID: 5a67a4a310bbeab77cb956b6f29dad078fe7ead2311179410cf603bdc65d0c30
                                        • Instruction ID: 272f3f60014ab8f8f2fa2781f50e1ac7d9ab3f628c5d0f86ef79d7992e461550
                                        • Opcode Fuzzy Hash: 5a67a4a310bbeab77cb956b6f29dad078fe7ead2311179410cf603bdc65d0c30
                                        • Instruction Fuzzy Hash: D821B17060430166CA14FBB28856ABF36599F41388F41087FB501671D2EF3DD845C76E
                                        Function 00407538 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 0040755C
                                        • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Object_wcslen
                                        • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                        • API String ID: 240030777-3166923314
                                        • Opcode ID: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                        • Instruction ID: 28daeeabb8f9d0779e909056d36d27ae9c6096be3406941992b1a3e854751cf1
                                        • Opcode Fuzzy Hash: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                        • Instruction Fuzzy Hash: 88113771D04214B6D710EA959845BDEB77C9B08714F15006FF904B2281EB7CAE448A6F
                                        Function 0041A7D9 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A7EF
                                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A83E
                                        • GetLastError.KERNEL32 ref: 0041A84C
                                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A884
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                        • String ID:
                                        • API String ID: 3587775597-0
                                        • Opcode ID: 6829f97737706ffae818d601d13e90887b13f82653637559be9d75c8c2a528fc
                                        • Instruction ID: 52116c85fb856a5ac6c14b0259405ec20ae2fa8d9cc538ef9907a440d1633313
                                        • Opcode Fuzzy Hash: 6829f97737706ffae818d601d13e90887b13f82653637559be9d75c8c2a528fc
                                        • Instruction Fuzzy Hash: 17817071104301ABC304EF61D885DAFB7A8FF94749F50082EF185521A2EF78EE49CB9A
                                        Function 00419B86 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 245fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(00000000,?), ref: 00419DDC
                                        • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419EA8
                                          • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Find$CreateFirstNext
                                        • String ID: 8eF$PXG$PXG$`#l$NG$PG
                                        • API String ID: 341183262-3501711174
                                        • Opcode ID: 54ba81e991093c6dccfdaf9162f41bafa2f6235a57d0cd9d07ce0c43f714be51
                                        • Instruction ID: 0eaaaed992bec346a468a6d62c1d6888972f0568f5be94e2eef244f320132bd5
                                        • Opcode Fuzzy Hash: 54ba81e991093c6dccfdaf9162f41bafa2f6235a57d0cd9d07ce0c43f714be51
                                        • Instruction Fuzzy Hash: 998151315083415BC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                        Function 00452690 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                          • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                        • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045279C
                                        • IsValidCodePage.KERNEL32(00000000), ref: 004527F7
                                        • IsValidLocale.KERNEL32(?,00000001), ref: 00452806
                                        • GetLocaleInfoW.KERNEL32(?,00001001,JD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045284E
                                        • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 0045286D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                        • String ID: JD$JD$JD
                                        • API String ID: 745075371-3517165026
                                        • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                        • Instruction ID: 3c84011e7dbdf7a6f9673bc5a23f9f2f22d5020eb6794df094384b3d0215d6fb
                                        • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                        • Instruction Fuzzy Hash: 9B518571900205ABDB10DFA5CD45ABF77B8EF0A702F04046BED14E7292E7B89948CB69
                                        Function 0040C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C3D6
                                        • FindNextFileW.KERNEL32(00000000,?), ref: 0040C4A9
                                        • FindClose.KERNEL32(00000000), ref: 0040C4B8
                                        • FindClose.KERNEL32(00000000), ref: 0040C4E3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$CloseFile$FirstNext
                                        • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                        • API String ID: 1164774033-405221262
                                        • Opcode ID: 07425786a733f007aeb9a950477bd56cbd674cdc9204bf77bad9fc47ca870fce
                                        • Instruction ID: 33618048715e6b2d4a7b39963b1e19558724686ef99070a322097c87c0ca4c0c
                                        • Opcode Fuzzy Hash: 07425786a733f007aeb9a950477bd56cbd674cdc9204bf77bad9fc47ca870fce
                                        • Instruction Fuzzy Hash: 59313E31500219AACB14E761DC9A9EE7778AF50719F10057FF106B21E2EF7C9946CA4D
                                        Function 0041C322 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C37D
                                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3AD
                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C41F
                                        • DeleteFileW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C42C
                                          • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C402
                                        • GetLastError.KERNEL32(?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C44D
                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C463
                                        • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C46A
                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C473
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                        • String ID:
                                        • API String ID: 2341273852-0
                                        • Opcode ID: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                        • Instruction ID: 53b23dfad01ba0d5beec27b7c27070a1caf437d6ccbc5233b8522822963bc02e
                                        • Opcode Fuzzy Hash: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                        • Instruction Fuzzy Hash: 4A31807284431CAADB24E761DC89EEB736CAF09305F0405FBF559D2051EB3DDAC98A58
                                        Function 0040A41B Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetForegroundWindow.USER32(?,?,004750F0), ref: 0040A451
                                        • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                        • GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                        • GetKeyState.USER32(00000010), ref: 0040A46E
                                        • GetKeyboardState.USER32(?,?,004750F0), ref: 0040A479
                                        • ToUnicodeEx.USER32(00475144,00000000,?,?,00000010,00000000,00000000), ref: 0040A49C
                                        • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                        • ToUnicodeEx.USER32(00475144,?,?,?,00000010,00000000,00000000), ref: 0040A535
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                        • String ID:
                                        • API String ID: 1888522110-0
                                        • Opcode ID: 1fbef96bbf5188aadc2f193688702ae07512c2e2bc484e71aa5862d9cec23228
                                        • Instruction ID: fd17a64e9e4f7f825196359ceba3421c6f582a70c0a4c9d277f8a97da3dc7bda
                                        • Opcode Fuzzy Hash: 1fbef96bbf5188aadc2f193688702ae07512c2e2bc484e71aa5862d9cec23228
                                        • Instruction Fuzzy Hash: 1E316D72504308BFD700DF90DC45F9B7BECBB88744F00083AB645D61A0D7B5E9498BA6
                                        Function 00414005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140D8
                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140E4
                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                        • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004142A5
                                        • GetProcAddress.KERNEL32(00000000), ref: 004142AC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressCloseCreateLibraryLoadProcsend
                                        • String ID: SHDeleteKeyW$Shlwapi.dll
                                        • API String ID: 2127411465-314212984
                                        • Opcode ID: 906faeb5203d37c74ddcedaba27fd20c986479be3f450a41c0319093749beec0
                                        • Instruction ID: 51cedef5a77654bf04fe1bae55708f30d4330cefe0c145b830acf249c6506b6e
                                        • Opcode Fuzzy Hash: 906faeb5203d37c74ddcedaba27fd20c986479be3f450a41c0319093749beec0
                                        • Instruction Fuzzy Hash: 16B1F671A0430066CA14FB76DC579AF36A85F91788F40053FB906771E2EE7D8A48C6DA
                                        Function 00449210 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 00449292
                                        • _free.LIBCMT ref: 004492B6
                                        • _free.LIBCMT ref: 0044943D
                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                        • _free.LIBCMT ref: 00449609
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                        • String ID:
                                        • API String ID: 314583886-0
                                        • Opcode ID: 9d737620ee5c630f8ac732b373c324f56d4d8bd2db6b9a1ad30cafd364e2800f
                                        • Instruction ID: 020e1479f4dc59d8c1013f8997fe2690be381d41ecad25fd3e4808fcef6bdafa
                                        • Opcode Fuzzy Hash: 9d737620ee5c630f8ac732b373c324f56d4d8bd2db6b9a1ad30cafd364e2800f
                                        • Instruction Fuzzy Hash: E0C13A71900205ABFB24DF79CD41AAF7BA8EF46314F2405AFE884D7291E7788D42D758
                                        Function 00406EEB Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 222filenetworkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FF7
                                        • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070DB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: DownloadExecuteFileShell
                                        • String ID: 0aF$0aF$C:\Users\user\Desktop\ZZ.exe$open
                                        • API String ID: 2825088817-270629226
                                        • Opcode ID: a3d80589f937fc00409f1c87b067b324c796cd20f872ee043c00395bc31b0696
                                        • Instruction ID: 89f65c5a2840bfed21b3c91f130df949caec66636536da5e2ea9f2eef63816fc
                                        • Opcode Fuzzy Hash: a3d80589f937fc00409f1c87b067b324c796cd20f872ee043c00395bc31b0696
                                        • Instruction Fuzzy Hash: 5261B371A0830166CA14FB76C8569BE37A59F81758F40093FB9427B2D3EE3C9905C69B
                                        Function 00408847 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0040884C
                                        • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A50
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                        • String ID: xdF
                                        • API String ID: 1771804793-999140092
                                        • Opcode ID: f4b51b2c778cc903a76b83995408fe472956efc0dc2707ff349452219b6188ab
                                        • Instruction ID: 0d5560aa06bbfb8d15084ed76e809f646cede1ce68103026aeaac9ba950e1e68
                                        • Opcode Fuzzy Hash: f4b51b2c778cc903a76b83995408fe472956efc0dc2707ff349452219b6188ab
                                        • Instruction Fuzzy Hash: 9D517F72900209AACB04FB65DD569ED7778AF10308F50417FB906B71E2EF389B49CB89
                                        Function 0040BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA89
                                        • GetLastError.KERNEL32 ref: 0040BA93
                                        Strings
                                        • [Chrome StoredLogins found, cleared!], xrefs: 0040BAB9
                                        • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA54
                                        • UserProfile, xrefs: 0040BA59
                                        • [Chrome StoredLogins not found], xrefs: 0040BAAD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: DeleteErrorFileLast
                                        • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                        • API String ID: 2018770650-1062637481
                                        • Opcode ID: 8d1b9c386d9f6ca777f4705084fddfe26be0f649cbc95c9792bf321ed182c299
                                        • Instruction ID: 0532e36a1aab116e50a9f1d1704ee325f44086adb43c50cfffb7bf5285f9a594
                                        • Opcode Fuzzy Hash: 8d1b9c386d9f6ca777f4705084fddfe26be0f649cbc95c9792bf321ed182c299
                                        • Instruction Fuzzy Hash: 76018F61A402056ACB04B7B6DC5B9BE7724A921704B50057FF806722D2FE7D49098BDE
                                        Function 0041798D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                        • OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                        • GetLastError.KERNEL32 ref: 004179D8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                        • String ID: SeShutdownPrivilege
                                        • API String ID: 3534403312-3733053543
                                        • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                        • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                                        • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                        • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                                        Function 004541D9 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __floor_pentium4
                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                        • API String ID: 4168288129-2761157908
                                        • Opcode ID: e29b251e1eee29052bf5b6da388e4b2e308b35626dbf2dd5d7aa75add96dd8b0
                                        • Instruction ID: 22fd31c6184e07a9d3e8c26eafc68e38345e899adb4ac4f90a3aea4af7cb717d
                                        • Opcode Fuzzy Hash: e29b251e1eee29052bf5b6da388e4b2e308b35626dbf2dd5d7aa75add96dd8b0
                                        • Instruction Fuzzy Hash: BBC27E71D046288FDB25CE28DD407EAB3B5EB8530AF1541EBD80DE7241E778AE898F45
                                        Function 0040928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00409293
                                          • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040932F
                                        • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040938D
                                        • FindNextFileW.KERNEL32(00000000,?), ref: 004093E5
                                        • FindClose.KERNEL32(00000000), ref: 004093FC
                                          • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                          • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                          • Part of subcall function 00404E26: CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                        • FindClose.KERNEL32(00000000), ref: 004095F4
                                          • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                          • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                        • String ID:
                                        • API String ID: 1824512719-0
                                        • Opcode ID: 5217273ce41631ec4f36bb50ecbc328d28b03a03593037bf82bad60bde0a87b4
                                        • Instruction ID: 89df7f8b75d3b77417eb58d09b4f39b7dfb13bde992cfd9524fc7595df83f5be
                                        • Opcode Fuzzy Hash: 5217273ce41631ec4f36bb50ecbc328d28b03a03593037bf82bad60bde0a87b4
                                        • Instruction Fuzzy Hash: 34B19D32900109AACB14EBA1DD92AEDB379AF44314F50417FF506B60E2EF785F49CB59
                                        Function 0041AADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A731,00000000), ref: 0041AAE4
                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A731,00000000), ref: 0041AAF9
                                        • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB06
                                        • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A731,00000000), ref: 0041AB11
                                        • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB23
                                        • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB26
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ManagerStart
                                        • String ID:
                                        • API String ID: 276877138-0
                                        • Opcode ID: d2aae47141dcf0d9b89d10f0773cee60e0a3b0657566105474702d9dbd979937
                                        • Instruction ID: 14dbf03deabb1432b93a26d2ddf90514dbbc411f15d31c7908333a88c2a5d316
                                        • Opcode Fuzzy Hash: d2aae47141dcf0d9b89d10f0773cee60e0a3b0657566105474702d9dbd979937
                                        • Instruction Fuzzy Hash: FEF0E971141225AFD2115B209C88DFF276CDF85B66B00082AF901921919B68CC45E579
                                        Function 004524BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 00452555
                                        • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 0045257E
                                        • GetACP.KERNEL32(?,?,004527DB,?,00000000), ref: 00452593
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: InfoLocale
                                        • String ID: ACP$OCP
                                        • API String ID: 2299586839-711371036
                                        • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                        • Instruction ID: 097c3b5166b2d36aca1cb621bb06e922528e2ea4561953c90108b9915aa2a338
                                        • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                        • Instruction Fuzzy Hash: 7E21F932600108B6D734CF14CA10A9B73A6EB16B53B564467ED09D7312F7B6DD44C398
                                        Function 00407877 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407892
                                        • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040795A
                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileFind$FirstNextsend
                                        • String ID: 8eF$XPG$XPG
                                        • API String ID: 4113138495-4157548504
                                        • Opcode ID: 20c8045531a9471aa8b02c6f4ac93d25acd726a71398db01e6c16fdcd5dcb5aa
                                        • Instruction ID: fedc3c23448d2be437c2d68ef58725aa3c97e5c0e74d328490a6b39f64eed896
                                        • Opcode Fuzzy Hash: 20c8045531a9471aa8b02c6f4ac93d25acd726a71398db01e6c16fdcd5dcb5aa
                                        • Instruction Fuzzy Hash: 2D21A4315083015BC714FB61D895CEFB3ACAF90358F40493EF696620E1FF78AA098A5B
                                        Function 0041CA73 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 83COMMON
                                        Download Yara Rule
                                        APIs
                                        • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                          • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                          • Part of subcall function 004137AA: RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000,004752F0,?,?,0040F88E,004674C8,5.1.2 Pro), ref: 004137E1
                                          • Part of subcall function 004137AA: RegCloseKey.KERNEL32(?,?,?,0040F88E,004674C8,5.1.2 Pro), ref: 004137EC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseCreateInfoParametersSystemValue
                                        • String ID: ,aF$Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                        • API String ID: 4127273184-3126330168
                                        • Opcode ID: 1b8314d2076e9d5c703d8fca3d96c61d813be21baf7682ae790ff92cd480d8bc
                                        • Instruction ID: 8ac436d711b2fc3476497f69dc57c3b9a547a247a31514f467319d0910454585
                                        • Opcode Fuzzy Hash: 1b8314d2076e9d5c703d8fca3d96c61d813be21baf7682ae790ff92cd480d8bc
                                        • Instruction Fuzzy Hash: D7118472BC425022E81831396D9BFBE28068343F61F54456BF6022A6CAE4CF6A9143CF
                                        Function 0041B539 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                        Download Yara Rule
                                        APIs
                                        • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B54A
                                        • LoadResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B55E
                                        • LockResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B565
                                        • SizeofResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B574
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Resource$FindLoadLockSizeof
                                        • String ID: SETTINGS
                                        • API String ID: 3473537107-594951305
                                        • Opcode ID: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                        • Instruction ID: d04f7a3eece584ab18b37ce022e38df3785cd6d6757b7dd0dc659012c7d5cbc3
                                        • Opcode Fuzzy Hash: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                        • Instruction Fuzzy Hash: 8EE01A76600B22EBEB211BB1AC4CD863E29F7C97637140075F90586231CB798840DA98
                                        Function 004096A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 004096A5
                                        • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040971D
                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00409746
                                        • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040975D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstH_prologNext
                                        • String ID:
                                        • API String ID: 1157919129-0
                                        • Opcode ID: a4f9002d73e35e52d1f42a8e8860448eabd2e2251ec59754596a7abefe28d24e
                                        • Instruction ID: 8e52766585a78a9bd0f7e398a9017c7fe376444e683812dd136b20495b515571
                                        • Opcode Fuzzy Hash: a4f9002d73e35e52d1f42a8e8860448eabd2e2251ec59754596a7abefe28d24e
                                        • Instruction Fuzzy Hash: 7F814C328001099BCB15EBA2DC969EDB378AF14318F10417FE506B71E2EF789E49CB58
                                        Function 00451D58 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                          • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                        • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444AF4,?,?,?,?,?,?,00000004), ref: 00451E3A
                                        • _wcschr.LIBVCRUNTIME ref: 00451ECA
                                        • _wcschr.LIBVCRUNTIME ref: 00451ED8
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00444AF4,00000000,00444C14), ref: 00451F7B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                        • String ID:
                                        • API String ID: 4212172061-0
                                        • Opcode ID: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                        • Instruction ID: 2c98265d6c7a89d72caae9d33925a6d6107158c78f730362dcab12f0c71d6669
                                        • Opcode Fuzzy Hash: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                        • Instruction Fuzzy Hash: 7F611976600606AAD714AB75CC42FBB73A8EF04306F14056FFD05DB292EB78E948C769
                                        Function 0045201B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                          • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                        • EnumSystemLocalesW.KERNEL32(00452143,00000001,00000000,?,JD,?,00452770,00000000,?,?,?), ref: 0045208D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                        • String ID: p'E$JD
                                        • API String ID: 1084509184-908320845
                                        • Opcode ID: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                        • Instruction ID: b0e9e6415e7ea3a3ed95e939ef0edb9d062384d4a1a0bde9f31cc9ceae225fa6
                                        • Opcode Fuzzy Hash: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                        • Instruction Fuzzy Hash: 0211553A2007019FDB189F39C9916BBBB92FF8075AB14482EEE4687B41D7B5A946C740
                                        Function 00452143 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                          • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452197
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004521E8
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorInfoLastLocale$_free$_abort
                                        • String ID:
                                        • API String ID: 2829624132-0
                                        • Opcode ID: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                        • Instruction ID: 283aa9570716a6929da4b93cb0bca45b8c77d553a5ebfd19e37a994bad1de6ac
                                        • Opcode Fuzzy Hash: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                        • Instruction Fuzzy Hash: F361A235500207ABDF289F24CE82B7A77A8EF05306F1441BBED05C6656E7BC9D89CB58
                                        Function 0043BB71 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • IsDebuggerPresent.KERNEL32 ref: 0043BC69
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC73
                                        • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC80
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                        • String ID:
                                        • API String ID: 3906539128-0
                                        • Opcode ID: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                        • Instruction ID: 25e88f5a56b9fbea854716c485460a06fbe33a825339a9765be54c88dd7cea35
                                        • Opcode Fuzzy Hash: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                        • Instruction Fuzzy Hash: 0431D374901218ABCB21DF65D9887CDBBB8EF0C311F5051EAE81CA7251EB749F818F48
                                        Function 00443355 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(?,?,0044332B,?), ref: 00443376
                                        • TerminateProcess.KERNEL32(00000000,?,0044332B,?), ref: 0044337D
                                        • ExitProcess.KERNEL32 ref: 0044338F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CurrentExitTerminate
                                        • String ID:
                                        • API String ID: 1703294689-0
                                        • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                        • Instruction ID: 4b22f3a5ffe79ca7dfb81d814e561f82a31e4bef9a776fe0bb9daccb8e878f4b
                                        • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                        • Instruction Fuzzy Hash: 9FE0B635401608FBDF11AF55DE09A5D3BAAEB40B56F005469FC498A272CF79EE42CB88
                                        Function 0040B749 Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenClipboard.USER32(00000000), ref: 0040B74C
                                        • GetClipboardData.USER32(0000000D), ref: 0040B758
                                        • CloseClipboard.USER32 ref: 0040B760
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Clipboard$CloseDataOpen
                                        • String ID:
                                        • API String ID: 2058664381-0
                                        • Opcode ID: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                        • Instruction ID: 1c65eecdd0087a0ffd0b0a04a5b63b9ff0c479b34dfa65f2e767e94bdce73387
                                        • Opcode Fuzzy Hash: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                        • Instruction Fuzzy Hash: 45E0EC31745320EFC3206B609C49F9B6AA4DF85B52F05443AB905BB2E5DB78CC4086AD
                                        Function 0041BBC6 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041605F,00000000), ref: 0041BBD1
                                        • NtResumeProcess.NTDLL(00000000), ref: 0041BBDE
                                        • CloseHandle.KERNEL32(00000000,?,?,0041605F,00000000), ref: 0041BBE7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CloseHandleOpenResume
                                        • String ID:
                                        • API String ID: 3614150671-0
                                        • Opcode ID: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                                        • Instruction ID: 00af7d86c2812e48088786baf9e1e683bef33431c8858657b58e82835f0f92e7
                                        • Opcode Fuzzy Hash: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                                        • Instruction Fuzzy Hash: 7AD05E36204121E3C220176A7C0CD97AD68DBC5AA2705412AF804C22609A60CC0186E4
                                        Function 0041BB9A Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041603A,00000000), ref: 0041BBA5
                                        • NtSuspendProcess.NTDLL(00000000), ref: 0041BBB2
                                        • CloseHandle.KERNEL32(00000000,?,?,0041603A,00000000), ref: 0041BBBB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CloseHandleOpenSuspend
                                        • String ID:
                                        • API String ID: 1999457699-0
                                        • Opcode ID: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                        • Instruction ID: 611eda4fe747f1c58df557fb912083c2b4b70512fbfbfb6239720577e9304ccf
                                        • Opcode Fuzzy Hash: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                        • Instruction Fuzzy Hash: 98D05E36204121E3C7211B6A7C0CD97AD68DFC5AA2705412AF804D26549A20CC0186E4
                                        Function 0044E8F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: .
                                        • API String ID: 0-248832578
                                        • Opcode ID: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                        • Instruction ID: 7baa6cf80f4bdea99dbc4d330b45aada8194c6230f36d830dc1b60d3871032d3
                                        • Opcode Fuzzy Hash: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                        • Instruction Fuzzy Hash: DF3107B1900259AFEB24DE7ACC84EFB7BBDEB46318F0401AEF41897291E6349D418B54
                                        Function 004520B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                          • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                        • EnumSystemLocalesW.KERNEL32(00452393,00000001,?,?,JD,?,00452734,JD,?,?,?,?,?,00444AED,?,?), ref: 00452102
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                        • String ID: JD
                                        • API String ID: 1084509184-2669065882
                                        • Opcode ID: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                        • Instruction ID: 883a99871793c155097d9da94a803295819168bd30f8f35cc04eca091e96b9f4
                                        • Opcode Fuzzy Hash: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                        • Instruction Fuzzy Hash: E8F0FF363007056FDB245F399881A6B7B96FB82769B04482EFE458B682DAB99C42D604
                                        Function 0044896D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004489C0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: InfoLocale
                                        • String ID: GetLocaleInfoEx
                                        • API String ID: 2299586839-2904428671
                                        • Opcode ID: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                        • Instruction ID: 58f0578312c774904006f9ed4749830948a62bec6dc8fde4d932476f73229d15
                                        • Opcode Fuzzy Hash: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                        • Instruction Fuzzy Hash: C0F0F631640608FBDB016F61DC06F6E7B25EB04751F00056EFC0966251DE368D2096DE
                                        Function 00446270 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                        • Instruction ID: f88ef0336175cd1615890b4a552d96ffb4623b3c947145a2eaf1ae153763923c
                                        • Opcode Fuzzy Hash: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                        • Instruction Fuzzy Hash: AA025D71E002199BEF14CFA9D8806AEFBF1FF49314F26816AD819E7384D734AD418B85
                                        Function 004120B2 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 00412129
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$FreeProcess
                                        • String ID:
                                        • API String ID: 3859560861-0
                                        • Opcode ID: 5801a203d1619bed6c8a9db4d4e6f7c09651a2c1722533c7d7743465b50f68e9
                                        • Instruction ID: dd486cb6b879bf1be37f4e59d5b3b18419fca2aff5c7e471244091183f2ba527
                                        • Opcode Fuzzy Hash: 5801a203d1619bed6c8a9db4d4e6f7c09651a2c1722533c7d7743465b50f68e9
                                        • Instruction Fuzzy Hash: 0D113632000B11AFC7309F54DE85957BBEAFF08715305892EF29682922CB75FCA0CB48
                                        Function 004533AB Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004533A6,?,?,00000008,?,?,0045625D,00000000), ref: 004535D8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExceptionRaise
                                        • String ID:
                                        • API String ID: 3997070919-0
                                        • Opcode ID: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                        • Instruction ID: 7263c04077df6a1dd25da4ac29b5b982fa38ace811980f45f75c7c5cedc24273
                                        • Opcode Fuzzy Hash: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                        • Instruction Fuzzy Hash: 0FB13B315106089FD715CF28C48AB657BE0FF053A6F25865DE899CF3A2C339EA96CB44
                                        Function 004339D7 Relevance: 1.8, Strings: 1, Instructions: 501COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 0
                                        • API String ID: 0-4108050209
                                        • Opcode ID: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                        • Instruction ID: b5ae8e6f7fa87a7dee9e60626e0a37a25df5f2dd99b83f8da903d7583ecded6c
                                        • Opcode Fuzzy Hash: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                        • Instruction Fuzzy Hash: 0C129E727083048BD304DF65D882A1EB7E2BFCC758F15892EF495AB381DA74E915CB86
                                        Function 00434CB6 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                        Download Yara Rule
                                        APIs
                                        • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434CCF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FeaturePresentProcessor
                                        • String ID:
                                        • API String ID: 2325560087-0
                                        • Opcode ID: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                        • Instruction ID: 5e37b39ef68b784d6588b9ddffa6793edf4c3ade0924e8be62ba08be237937aa
                                        • Opcode Fuzzy Hash: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                        • Instruction Fuzzy Hash: E4515B71D002488FEB24CF69D98579EBBF4FB88314F24956BD419EB264D378A940CF98
                                        Function 00452393 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                          • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004523E7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$_free$InfoLocale_abort
                                        • String ID:
                                        • API String ID: 1663032902-0
                                        • Opcode ID: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                        • Instruction ID: 2d4dd0c1c30cd12b50dfb53a4a1f7f5f9091958bb121381f53cce851c87d7921
                                        • Opcode Fuzzy Hash: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                        • Instruction Fuzzy Hash: F921D632600606ABDB249F25DD41FBB73A8EB06316F10407FED01D6152EBBC9D48CB59
                                        Function 004525C3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                          • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                        • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452361,00000000,00000000,?), ref: 004525EF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$InfoLocale_abort_free
                                        • String ID:
                                        • API String ID: 2692324296-0
                                        • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                        • Instruction ID: 8c29d710edde3bbc403447a64c1727e90569dbd09ff88c71ffccea9529c81983
                                        • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                        • Instruction Fuzzy Hash: C4F04936A00116BBDB245A24D905BBF7B58EB01315F04446BEC05A3241FAF8FD058694
                                        Function 00448484 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(-0006D41D,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                        • EnumSystemLocalesW.KERNEL32(0044843E,00000001,0046EAE0,0000000C), ref: 004484BC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CriticalEnterEnumLocalesSectionSystem
                                        • String ID:
                                        • API String ID: 1272433827-0
                                        • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                        • Instruction ID: 901ea181f65c0ebd25502bb0be635eecd519ab6688482fb1bf3a60b9f01fb263
                                        • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                        • Instruction Fuzzy Hash: 37F04F76A50200EFEB00EF69D946B4D37E0FB04725F10446EF514DB2A2DB7899809B49
                                        Function 00451FD0 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                          • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                        • EnumSystemLocalesW.KERNEL32(00451F27,00000001,?,?,?,00452792,JD,?,?,?,?,?,00444AED,?,?,?), ref: 00452007
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                        • String ID:
                                        • API String ID: 1084509184-0
                                        • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                        • Instruction ID: 16a122e2f6617649f53ffd93528404cf76eb0d70ff9257d35f530b0535ef024d
                                        • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                        • Instruction Fuzzy Hash: 84F0203630020597CB04AF75D845B6A7F90EB82729B06009AFE058B6A2C7799842C754
                                        Function 0040F90C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00415537,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.2 Pro), ref: 0040F920
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: InfoLocale
                                        • String ID:
                                        • API String ID: 2299586839-0
                                        • Opcode ID: 2888965568e38a2ba7a5abe7093904758464576a93ba76aee1c710f175ee0f35
                                        • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                        • Opcode Fuzzy Hash: 2888965568e38a2ba7a5abe7093904758464576a93ba76aee1c710f175ee0f35
                                        • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                        Function 00434BD8 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetUnhandledExceptionFilter.KERNEL32(Function_00034BE4,0043490B), ref: 00434BDD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled
                                        • String ID:
                                        • API String ID: 3192549508-0
                                        • Opcode ID: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                        • Instruction ID: 702e07acd891e046c8aea5fc6397425f5e3bd38ef0af78e1c7fed93ac6412050
                                        • Opcode Fuzzy Hash: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                        • Instruction Fuzzy Hash:
                                        Function 00427AD7 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: @
                                        • API String ID: 0-2766056989
                                        • Opcode ID: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                        • Instruction ID: bbd91956ea41f9089fdf4ea26de33e0e8d132f349ea16d9e77f48d305cf446da
                                        • Opcode Fuzzy Hash: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                        • Instruction Fuzzy Hash: F1412975A183558FC340CF29D58020AFBE1FFC8318F645A1EF889A3350D379E9428B86
                                        Function 0044DA49 Relevance: .6, Instructions: 637COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c092c4f6b84b18e3b6cbbf7fe4413e1147b07dd6558fe569cc2693f6d3c9d2d8
                                        • Instruction ID: 4200599dcb49c21c1ca78238ad82984ca11e49a574bdd01b256a4bdf4e559873
                                        • Opcode Fuzzy Hash: c092c4f6b84b18e3b6cbbf7fe4413e1147b07dd6558fe569cc2693f6d3c9d2d8
                                        • Instruction Fuzzy Hash: D2322521D69F414DE7239A35CC22336A24CBFB73C5F15D737E81AB5AAAEB29C4834105
                                        Function 0041F18B Relevance: .6, Instructions: 598COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 11fe0a22ef666ee2c1bed35089f8503541a39c5702d52e9a7652229b453a748b
                                        • Instruction ID: 06c66d0f35fb266b7f69fbfce4f1f639eb17408d85dd7e5468211ecdc8378744
                                        • Opcode Fuzzy Hash: 11fe0a22ef666ee2c1bed35089f8503541a39c5702d52e9a7652229b453a748b
                                        • Instruction Fuzzy Hash: 7932C2716087459BC715DF28C4807ABB7E5BF84318F040A3EF89587392D779D98ACB8A
                                        Function 0042742E Relevance: .4, Instructions: 435COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 069969c8f4566116342464d842351c7afe0a72e1e3c3dbe851ab1ff53bf1dd64
                                        • Instruction ID: b033fe34555866f616fd3cc64b543b740d9cc82fbf2d17309ab2a27531c6336b
                                        • Opcode Fuzzy Hash: 069969c8f4566116342464d842351c7afe0a72e1e3c3dbe851ab1ff53bf1dd64
                                        • Instruction Fuzzy Hash: 6C02CEB17046528BC358CF2EEC5053AB7E1AB8D311744863EE495C7781EB35FA22CB94
                                        Function 00426E9F Relevance: .4, Instructions: 383COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 82c6eebf497a8783bea5e127f8a47c76021f3e74a05456d4a9fdc662aa60ff2a
                                        • Instruction ID: 06b531cc06dcd57701b547059d2c567c45bbe225ee7d26ac7aed84b394be02a5
                                        • Opcode Fuzzy Hash: 82c6eebf497a8783bea5e127f8a47c76021f3e74a05456d4a9fdc662aa60ff2a
                                        • Instruction Fuzzy Hash: 2DF19D716142558FC348CF1DE8A187BB3E1FB89311B450A2EF582C3391DB79EA16CB56
                                        Function 00437DB3 Relevance: .3, Instructions: 345COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                        • Instruction ID: 2ce137016e68017aebaac4bbf916a57dff7c64f07ba89619fc9d118b501662d8
                                        • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                        • Instruction Fuzzy Hash: F9C1D5B22091930AEF3D4639853063FFAA05E957B171A635FE4F2CB2D4FE18C924D514
                                        Function 004381E8 Relevance: .3, Instructions: 341COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                        • Instruction ID: bc2d6065b6eca92eb436045fb502f22698d18e4b36ed1375ff5d5b4a3f5914d0
                                        • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                        • Instruction Fuzzy Hash: 75C1D7722091930AEF2D4739853463FFAA15EA57B171A236FE4F2CB2D4FE28C924D514
                                        Function 0043797E Relevance: .3, Instructions: 331COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                        • Instruction ID: 708e8454946620f186a1700387687a053fc407bd339bf74556c1f47a113f5a1a
                                        • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                        • Instruction Fuzzy Hash: 95C1C3B220D0930AEF3D4639853063FFAA15EA67B171A675ED4F2CB2D4FE18C924D614
                                        Function 00437566 Relevance: .3, Instructions: 323COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                        • Instruction ID: 79ee4f31eba35b7567f7a499d226924a3a6c1d38d98321864059dc3c63d33f3d
                                        • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                        • Instruction Fuzzy Hash: 76C1E6B220D0930AEF3D4639853463FBAA15EA57B171A236FD4F2CB2D4FE18C924C614
                                        Function 0041DBF3 Relevance: .3, Instructions: 277COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2e85d6dc501202f3c2e801dccf0940871ddf0a86c450432c97aa3465398b7722
                                        • Instruction ID: 096ff1c695f9ab27d4b2dbab46670c8098de74970727e2ec16deab2a6828ec1d
                                        • Opcode Fuzzy Hash: 2e85d6dc501202f3c2e801dccf0940871ddf0a86c450432c97aa3465398b7722
                                        • Instruction Fuzzy Hash: EAB1A37951429A8ACB05EF68C4913F63BA1EF6A301F0850B9EC9CCF757D2398506EB24
                                        Function 0043E34B Relevance: .2, Instructions: 237COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                        • Instruction ID: 32d6082e35155a0a096806a6943d6f48c3d67459c64856e3d931f7c23e0710f9
                                        • Opcode Fuzzy Hash: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                        • Instruction Fuzzy Hash: 59618971202709A6EE34892B88967BF63949F6D314F10342FE983DB3C1D65DDD82931E
                                        Function 0043E5A8 Relevance: .2, Instructions: 237COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                        • Instruction ID: 5d22fc1bcc5d638cf6a4a0606be4d5c4d5bba199c703cf788a7f99cafe8d65e8
                                        • Opcode Fuzzy Hash: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                        • Instruction Fuzzy Hash: 12615871602718A6DA38592B88977BF2384EB2D344F94351BE483DB3C1D75EAD43871E
                                        Function 0043E11C Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                        • Instruction ID: 6c705508b021f12d90b9f9697341ee8142861c1d23b7247138392dbd6e0aa073
                                        • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                        • Instruction Fuzzy Hash: 59517671603604A7EF3445AB85567BF63899B0E304F18395FE882C73C2C52DDE02875E
                                        Function 0043DEED Relevance: .2, Instructions: 214COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                        • Instruction ID: 84bf5d8b6cf777f915eff3509e2c27b9c7ae744ab127a35c194aadb47efed811
                                        • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                        • Instruction Fuzzy Hash: E1517761E0660557DF38892A94D67BF23A59B4E308F18351FE483CB3C2C65EEE06835E
                                        Function 00427C40 Relevance: .2, Instructions: 187COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5391bdb46e7b363b15ab8dfbfe7515acbec1a5683836347dd09947684361f79a
                                        • Instruction ID: d4d389248adab082d17fbdeb677dfbf93ddf16fcbb8c162b69e64d6cf0e33668
                                        • Opcode Fuzzy Hash: 5391bdb46e7b363b15ab8dfbfe7515acbec1a5683836347dd09947684361f79a
                                        • Instruction Fuzzy Hash: 61615B72A083059BC308DF35E481A5FB7E4AFCC718F814E2EF595D6151EA74EA08CB86
                                        Function 004387F0 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                        • Instruction ID: 582e3a7babb983407823034c482dc4f24404013c153b7f4d28c3fef3b0c68a44
                                        • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                        • Instruction Fuzzy Hash: 43113B7720034183D60CAA6DC4B45BBD795EADE320FBD627FF0414B744CA2AD4459508
                                        Function 00418EB1 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 328windowmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418ECB
                                        • CreateCompatibleDC.GDI32(00000000), ref: 00418ED8
                                          • Part of subcall function 00419360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419390
                                        • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F4E
                                        • DeleteDC.GDI32(00000000), ref: 00418F65
                                        • DeleteDC.GDI32(00000000), ref: 00418F68
                                        • DeleteObject.GDI32(00000000), ref: 00418F6B
                                        • SelectObject.GDI32(00000000,00000000), ref: 00418F8C
                                        • DeleteDC.GDI32(00000000), ref: 00418F9D
                                        • DeleteDC.GDI32(00000000), ref: 00418FA0
                                        • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418FC4
                                        • GetCursorInfo.USER32(?), ref: 00418FE2
                                        • GetIconInfo.USER32(?,?), ref: 00418FF8
                                        • DeleteObject.GDI32(?), ref: 00419027
                                        • DeleteObject.GDI32(?), ref: 00419034
                                        • DrawIcon.USER32(00000000,?,?,?), ref: 00419041
                                        • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00419077
                                        • GetObjectA.GDI32(00000000,00000018,?), ref: 004190A3
                                        • LocalAlloc.KERNEL32(00000040,00000001), ref: 00419110
                                        • GlobalAlloc.KERNEL32(00000000,?), ref: 0041917F
                                        • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004191A3
                                        • DeleteDC.GDI32(?), ref: 004191B7
                                        • DeleteDC.GDI32(00000000), ref: 004191BA
                                        • DeleteObject.GDI32(00000000), ref: 004191BD
                                        • GlobalFree.KERNEL32(?), ref: 004191C8
                                        • DeleteObject.GDI32(00000000), ref: 0041927C
                                        • GlobalFree.KERNEL32(?), ref: 00419283
                                        • DeleteDC.GDI32(?), ref: 00419293
                                        • DeleteDC.GDI32(00000000), ref: 0041929E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                                        • String ID: DISPLAY
                                        • API String ID: 4256916514-865373369
                                        • Opcode ID: 2247b608c21a3b8abac63767662b5221d2e7e1e487ff91865d3b7fb692dc0e69
                                        • Instruction ID: e1b8f987aa81746083de8242de432fb1856ba331ec6d7e725e66c1191a76d441
                                        • Opcode Fuzzy Hash: 2247b608c21a3b8abac63767662b5221d2e7e1e487ff91865d3b7fb692dc0e69
                                        • Instruction Fuzzy Hash: 64C14C71504301AFD720DF25DC48BABBBE9EB88715F04482EF98993291DB34ED45CB6A
                                        Function 0041812A Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 289libraryloaderthreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                        • GetProcAddress.KERNEL32(00000000), ref: 00418174
                                        • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                        • GetProcAddress.KERNEL32(00000000), ref: 00418188
                                        • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                        • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                        • GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                        • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                                        • GetThreadContext.KERNEL32(?,00000000), ref: 00418280
                                        • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004182A6
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418328
                                        • TerminateProcess.KERNEL32(?,00000000), ref: 0041833C
                                        • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041837C
                                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00418446
                                        • SetThreadContext.KERNEL32(?,00000000), ref: 00418463
                                        • ResumeThread.KERNEL32(?), ref: 00418470
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418487
                                        • GetCurrentProcess.KERNEL32(?), ref: 00418492
                                        • TerminateProcess.KERNEL32(?,00000000), ref: 004184AD
                                        • GetLastError.KERNEL32 ref: 004184B5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                        • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$`Wu$ntdll
                                        • API String ID: 4188446516-529412701
                                        • Opcode ID: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                                        • Instruction ID: d7ba82c79e3f17b97bd8f2c1aaed993f07984c16d96ff77cb9dc1491e823fc6f
                                        • Opcode Fuzzy Hash: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                                        • Instruction Fuzzy Hash: 69A15FB0604305AFDB209F64DD85B6B7BE8FF48705F00482EF685D6291EB78D844CB59
                                        Function 0040D45B Relevance: 49.3, APIs: 6, Strings: 22, Instructions: 282registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                          • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D558
                                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D56B
                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D584
                                        • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D5B4
                                          • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                          • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                          • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                          • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D7FF
                                        • ExitProcess.KERNEL32 ref: 0040D80B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                        • String ID: """, 0$")$@qF$@qF$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$`#l$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("$xdF$xpF
                                        • API String ID: 1861856835-789620690
                                        • Opcode ID: 3831aceb1d22e6e7d0b93e81b17b4507cce6e75ae5e0c8aaec154484add800c1
                                        • Instruction ID: 9f807323933333198641953f201c1fc8368d74e19fdabe041c5449f7db564f80
                                        • Opcode Fuzzy Hash: 3831aceb1d22e6e7d0b93e81b17b4507cce6e75ae5e0c8aaec154484add800c1
                                        • Instruction Fuzzy Hash: 8791B0716082005AC315FB62D8529AF77A8AFD4309F10443FB64AA71E3EF7C9D49C65E
                                        Function 0040D0D1 Relevance: 44.0, APIs: 6, Strings: 19, Instructions: 260registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                          • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E0
                                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1F3
                                        • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D223
                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D232
                                          • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                          • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                          • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                          • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,75573530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D44D
                                        • ExitProcess.KERNEL32 ref: 0040D454
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                        • String ID: ")$.vbs$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`#l$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("$xdF$xpF
                                        • API String ID: 3797177996-1827988287
                                        • Opcode ID: 5ea89510e99e255cff43ffc81d3dc9d7b560b2414651548bcd7dcad2d5155117
                                        • Instruction ID: f7f00373e35faeae073ffedb9d5543756e5675edee5c5b567d0d61755fae189b
                                        • Opcode Fuzzy Hash: 5ea89510e99e255cff43ffc81d3dc9d7b560b2414651548bcd7dcad2d5155117
                                        • Instruction Fuzzy Hash: 6181AF716082405AC315FB62D8529AF77A8AFD0308F10483FB58A671E3EF7C9E49C65E
                                        Function 004124B0 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 004124CF
                                        • ExitProcess.KERNEL32(00000000), ref: 004124DB
                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412555
                                        • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412564
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041256F
                                        • CloseHandle.KERNEL32(00000000), ref: 00412576
                                        • GetCurrentProcessId.KERNEL32 ref: 0041257C
                                        • PathFileExistsW.SHLWAPI(?), ref: 004125AD
                                        • GetTempPathW.KERNEL32(00000104,?), ref: 00412610
                                        • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041262A
                                        • lstrcatW.KERNEL32(?,.exe), ref: 0041263C
                                          • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                        • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041267C
                                        • Sleep.KERNEL32(000001F4), ref: 004126BD
                                        • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004126D2
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126DD
                                        • CloseHandle.KERNEL32(00000000), ref: 004126E4
                                        • GetCurrentProcessId.KERNEL32 ref: 004126EA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                        • String ID: .exe$WDH$`#l$exepath$open$temp_
                                        • API String ID: 2649220323-3017724159
                                        • Opcode ID: e4498816270222a488e6bf5402939aedbcf49cf9c73125b441753154fee32edb
                                        • Instruction ID: ea0e71dbd1735df2f0ffa6a76a18ae54bfb239dee3d1740714ca762960b89f4c
                                        • Opcode Fuzzy Hash: e4498816270222a488e6bf5402939aedbcf49cf9c73125b441753154fee32edb
                                        • Instruction Fuzzy Hash: 4C51C871A00215BBDB10ABA09C99EFE336D9B04715F1041ABF501E71D2EF7C8E858A5D
                                        Function 0041B0D8 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B1CD
                                        • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B1E1
                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0041B209
                                        • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B21F
                                        • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B260
                                        • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B278
                                        • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B28D
                                        • SetEvent.KERNEL32 ref: 0041B2AA
                                        • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B2BB
                                        • CloseHandle.KERNEL32 ref: 0041B2CB
                                        • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B2ED
                                        • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B2F7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                        • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                        • API String ID: 738084811-2094122233
                                        • Opcode ID: 1d877dcbc1b23002afbada965c9bddf541debd2a79e700171488071fa355c7d2
                                        • Instruction ID: 904a2ea9ee052b7cd0d2885f28b370526ea16529c5f4723dacad6ab52bd59ce6
                                        • Opcode Fuzzy Hash: 1d877dcbc1b23002afbada965c9bddf541debd2a79e700171488071fa355c7d2
                                        • Instruction Fuzzy Hash: 015193B12842056ED314B731DC96ABF779CDB80359F10053FB246621E2EF789D498AAE
                                        Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                        • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                        • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                        • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                        • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                        • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                        • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                        • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                        • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                        • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Write$Create
                                        • String ID: RIFF$WAVE$data$fmt
                                        • API String ID: 1602526932-4212202414
                                        • Opcode ID: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                        • Instruction ID: e437df56db769974f3bb03b9acf3047b6271bea3308615ff466a61b001f8e6b8
                                        • Opcode Fuzzy Hash: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                        • Instruction Fuzzy Hash: D1413F72644218BAE210DB51DD85FBB7FECEB89B50F40441AFA44D60C0E7A5E909DBB3
                                        Function 004072AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\ZZ.exe,00000001,00407688,C:\Users\user\Desktop\ZZ.exe,00000003,004076B0,004752D8,00407709), ref: 004072BF
                                        • GetProcAddress.KERNEL32(00000000), ref: 004072C8
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072DD
                                        • GetProcAddress.KERNEL32(00000000), ref: 004072E0
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072F1
                                        • GetProcAddress.KERNEL32(00000000), ref: 004072F4
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00407305
                                        • GetProcAddress.KERNEL32(00000000), ref: 00407308
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00407319
                                        • GetProcAddress.KERNEL32(00000000), ref: 0040731C
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040732D
                                        • GetProcAddress.KERNEL32(00000000), ref: 00407330
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressHandleModuleProc
                                        • String ID: C:\Users\user\Desktop\ZZ.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                        • API String ID: 1646373207-2514165122
                                        • Opcode ID: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                        • Instruction ID: 405170eedd050388d8f538cead316ce70cca9a1d875d15a5a69166cce564cbe9
                                        • Opcode Fuzzy Hash: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                        • Instruction Fuzzy Hash: 0A0152A0E4431676D711AF7AAC44D577E9D9E41351311487BB405E2292EEBCE800CD6E
                                        Function 0040CE34 Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 203fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 0040CE42
                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE5B
                                        • CopyFileW.KERNEL32(C:\Users\user\Desktop\ZZ.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CF0B
                                        • _wcslen.LIBCMT ref: 0040CF21
                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CFA9
                                        • CopyFileW.KERNEL32(C:\Users\user\Desktop\ZZ.exe,00000000,00000000), ref: 0040CFBF
                                        • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFFE
                                        • _wcslen.LIBCMT ref: 0040D001
                                        • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040D018
                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D068
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000001), ref: 0040D086
                                        • ExitProcess.KERNEL32 ref: 0040D09D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                        • String ID: 6$C:\Users\user\Desktop\ZZ.exe$del$open$xdF
                                        • API String ID: 1579085052-4289508106
                                        • Opcode ID: 1f26a9a137c80f5632c92eb2222ab7f2ba6ebdcc1e6d02a5e4a10b2a6e82a7e9
                                        • Instruction ID: 98553dc1b0994f0aa09194d7cf3a18af63584d9ff732256a229fdfb73b573f5c
                                        • Opcode Fuzzy Hash: 1f26a9a137c80f5632c92eb2222ab7f2ba6ebdcc1e6d02a5e4a10b2a6e82a7e9
                                        • Instruction Fuzzy Hash: 3151E820208302ABD615B7359C92A6F679D9F8471DF00443FF60AA61E3EF7C9D05866E
                                        Function 0041C0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenW.KERNEL32(?), ref: 0041C0C7
                                        • _memcmp.LIBVCRUNTIME ref: 0041C0DF
                                        • lstrlenW.KERNEL32(?), ref: 0041C0F8
                                        • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C133
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C146
                                        • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C18A
                                        • lstrcmpW.KERNEL32(?,?), ref: 0041C1A5
                                        • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C1BD
                                        • _wcslen.LIBCMT ref: 0041C1CC
                                        • FindVolumeClose.KERNEL32(?), ref: 0041C1EC
                                        • GetLastError.KERNEL32 ref: 0041C204
                                        • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C231
                                        • lstrcatW.KERNEL32(?,?), ref: 0041C24A
                                        • lstrcpyW.KERNEL32(?,?), ref: 0041C259
                                        • GetLastError.KERNEL32 ref: 0041C261
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                        • String ID: ?
                                        • API String ID: 3941738427-1684325040
                                        • Opcode ID: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                        • Instruction ID: 8d48ee17a24f37a9bc83e71ffc922dd471ae74eb47091415c6e266b1ff6a60c4
                                        • Opcode Fuzzy Hash: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                        • Instruction Fuzzy Hash: B541A671584316EBD720DFA0DC889DBB7ECEB84745F00092BF545D2162EB78CA88CB96
                                        Function 00412AEF Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 482sleepfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412B08
                                          • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,75573530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                          • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                          • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                        • Sleep.KERNEL32(0000000A,00465E84), ref: 00412C5A
                                        • Sleep.KERNEL32(0000000A,00465E84,00465E84), ref: 00412CFC
                                        • Sleep.KERNEL32(0000000A,00465E84,00465E84,00465E84), ref: 00412D9E
                                        • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E00
                                        • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E37
                                        • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E73
                                        • Sleep.KERNEL32(000001F4,00465E84,00465E84,00465E84), ref: 00412E8D
                                        • Sleep.KERNEL32(00000064), ref: 00412ECF
                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                        • String ID: /stext "$,aF$0TG$0TG$NG$NG
                                        • API String ID: 1223786279-4119708859
                                        • Opcode ID: cb9c8e514a03fffe39a67888c38defc63896ca07a3b47e43f0cc2a8d1a09612f
                                        • Instruction ID: 10d3359c81a21c2239512d2238f4034584c87ebec4848cfd83014516dee20f06
                                        • Opcode Fuzzy Hash: cb9c8e514a03fffe39a67888c38defc63896ca07a3b47e43f0cc2a8d1a09612f
                                        • Instruction Fuzzy Hash: 2F0268315083414AC325FB62D891AEFB3E5AFD4348F50483FF58A931E2EF785A49C65A
                                        Function 0044F4AD Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$EnvironmentVariable$_wcschr
                                        • String ID:
                                        • API String ID: 3899193279-0
                                        • Opcode ID: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                        • Instruction ID: 2409d22e097b45b84bdb59948eb4ebc1cd1141af37d2d18b4001dba56dac1aed
                                        • Opcode Fuzzy Hash: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                        • Instruction Fuzzy Hash: E3D135B1D003006FFB24AF799D82A6B7BA8EF01314F05417FE945A7382EB7D99098759
                                        Function 00408BB5 Relevance: 23.1, APIs: 8, Strings: 5, Instructions: 328fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408D1E
                                        • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D56
                                        • __aulldiv.LIBCMT ref: 00408D88
                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                          • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                        • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408EAB
                                        • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408EC6
                                        • CloseHandle.KERNEL32(00000000), ref: 00408F9F
                                        • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FE9
                                        • CloseHandle.KERNEL32(00000000), ref: 00409037
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                        • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $xdF$NG
                                        • API String ID: 3086580692-3944908133
                                        • Opcode ID: 375fd4d1ba84a221b6b379f1ba586c6507ce90ea72b898bc605ef2d0a248505e
                                        • Instruction ID: 3fce176daff91a8ac67d7e00268aa6ddaa8eb0a69c3dc15cdf5b3728eb075172
                                        • Opcode Fuzzy Hash: 375fd4d1ba84a221b6b379f1ba586c6507ce90ea72b898bc605ef2d0a248505e
                                        • Instruction Fuzzy Hash: CCB1A1316083409BC314FB26C941AAFB7E5AFC4358F40492FF589622D2EF789945CB8B
                                        Function 0041D620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D66B
                                        • GetCursorPos.USER32(?), ref: 0041D67A
                                        • SetForegroundWindow.USER32(?), ref: 0041D683
                                        • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D69D
                                        • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D6EE
                                        • ExitProcess.KERNEL32 ref: 0041D6F6
                                        • CreatePopupMenu.USER32 ref: 0041D6FC
                                        • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D711
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                        • String ID: Close
                                        • API String ID: 1657328048-3535843008
                                        • Opcode ID: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                        • Instruction ID: ffebe08b42ddc2cad69fc5dc181b4667ce265f065f51bc56e4a7814a85689449
                                        • Opcode Fuzzy Hash: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                        • Instruction Fuzzy Hash: 2D213BB1544209FFDF155FA4ED0EAAA3F35EB08302F000125F909951B2D779EDA1EB19
                                        Function 00445DD7 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$Info
                                        • String ID:
                                        • API String ID: 2509303402-0
                                        • Opcode ID: 6f6fc0ac27b4b2f00b1102b51bee0220b0be09f2ed36c41455f2b0a14b53fe9c
                                        • Instruction ID: 03d8b0dccc9171d7b4ee81f85837dfa1205ba0d7832ce976ccf3d084d520ac26
                                        • Opcode Fuzzy Hash: 6f6fc0ac27b4b2f00b1102b51bee0220b0be09f2ed36c41455f2b0a14b53fe9c
                                        • Instruction Fuzzy Hash: AFB1CE719002059FEB21DF69C881BEEBBF4BF09304F15842EF495A7242DB79AC458B69
                                        Function 0040D83A Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 148COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                          • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                          • Part of subcall function 00413733: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 0041374F
                                          • Part of subcall function 00413733: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                                          • Part of subcall function 00413733: RegCloseKey.ADVAPI32(00000000), ref: 00413773
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D894
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D9F3
                                        • ExitProcess.KERNEL32 ref: 0040D9FF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                        • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$`#l$exepath$open$xdF
                                        • API String ID: 1913171305-1016136548
                                        • Opcode ID: b69e3863cd24d91f8d09930e85150bb1700edda50eabfefcd59ed8dd1b1ec919
                                        • Instruction ID: 6f299f75ad759bd4c56b3f4cab90e5e1fe41ff60d22e8747b975e3d2bb757992
                                        • Opcode Fuzzy Hash: b69e3863cd24d91f8d09930e85150bb1700edda50eabfefcd59ed8dd1b1ec919
                                        • Instruction Fuzzy Hash: 9B4129719001155ACB15FBA2DC56DEEB778AF50709F10017FB10AB21E2FF785E8ACA98
                                        Function 00414DC1 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 109libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                        • LoadLibraryA.KERNEL32(?), ref: 00414E52
                                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                        • FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                        • LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                        • FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                        • FreeLibrary.KERNEL32(00000000), ref: 00414EF0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                        • String ID: \ws2_32$\wship6$getaddrinfo
                                        • API String ID: 2490988753-3078833738
                                        • Opcode ID: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                        • Instruction ID: 3d65f6a93fba2a0b2eac8854c7d2b2934d6e6a161d7d6dc9994b6ec54a408268
                                        • Opcode Fuzzy Hash: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                        • Instruction Fuzzy Hash: 5E31C4B1905315A7D7209F65CC84DDF76DCAB84754F004A2AF944A3210D738D985CBAE
                                        Function 00451346 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ___free_lconv_mon.LIBCMT ref: 0045138A
                                          • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                                          • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                                          • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                                          • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                                          • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                                          • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                                          • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                                          • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                                          • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                                          • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                                          • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                                          • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                                          • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                                        • _free.LIBCMT ref: 0045137F
                                          • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                          • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                        • _free.LIBCMT ref: 004513A1
                                        • _free.LIBCMT ref: 004513B6
                                        • _free.LIBCMT ref: 004513C1
                                        • _free.LIBCMT ref: 004513E3
                                        • _free.LIBCMT ref: 004513F6
                                        • _free.LIBCMT ref: 00451404
                                        • _free.LIBCMT ref: 0045140F
                                        • _free.LIBCMT ref: 00451447
                                        • _free.LIBCMT ref: 0045144E
                                        • _free.LIBCMT ref: 0045146B
                                        • _free.LIBCMT ref: 00451483
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                        • String ID:
                                        • API String ID: 161543041-0
                                        • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                        • Instruction ID: 2428002f6fd8eb1a99257b9b861ac38f7c05b5b97acacff09fd9d8cf260fe807
                                        • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                        • Instruction Fuzzy Hash: 403193715003009FEB20AA39D846F5B73E8EF02315F62992FE849D7662DF78AD44C729
                                        Function 0041A045 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0041A04A
                                        • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 0041A07C
                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A108
                                        • Sleep.KERNEL32(000003E8), ref: 0041A18E
                                        • GetLocalTime.KERNEL32(?), ref: 0041A196
                                        • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A285
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                        • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                                        • API String ID: 489098229-1431523004
                                        • Opcode ID: ef3a2b2680ef5ec4cf1756d8d4e3928048fec3981f722f661be4b2a60a96407b
                                        • Instruction ID: 12d64888f2a2aa40a87de1a625a26b3edd7a2139bf4817292c9f8cf1352d8a2d
                                        • Opcode Fuzzy Hash: ef3a2b2680ef5ec4cf1756d8d4e3928048fec3981f722f661be4b2a60a96407b
                                        • Instruction Fuzzy Hash: 7A517D70A002159ACB14BBB5C8529FD77A9AF54308F40407FF509AB1E2EF7C9D85C799
                                        Function 00450680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                        • Instruction ID: 80ca3ff3fa16d46db3e6ae4c9b8471dba03f652ca918f9f25067e0b92ee87d4d
                                        • Opcode Fuzzy Hash: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                        • Instruction Fuzzy Hash: 30C183B6D40204ABEB20DBA9CC43FDE77F8AB09705F150166FE04EB283D6B49D459768
                                        Function 00455C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00455929: CreateFileW.KERNEL32(00000000,00000000,?,00455D04,?,?,00000000,?,00455D04,00000000,0000000C), ref: 00455946
                                        • GetLastError.KERNEL32 ref: 00455D6F
                                        • __dosmaperr.LIBCMT ref: 00455D76
                                        • GetFileType.KERNEL32(00000000), ref: 00455D82
                                        • GetLastError.KERNEL32 ref: 00455D8C
                                        • __dosmaperr.LIBCMT ref: 00455D95
                                        • CloseHandle.KERNEL32(00000000), ref: 00455DB5
                                        • CloseHandle.KERNEL32(?), ref: 00455EFF
                                        • GetLastError.KERNEL32 ref: 00455F31
                                        • __dosmaperr.LIBCMT ref: 00455F38
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                        • String ID: H
                                        • API String ID: 4237864984-2852464175
                                        • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                        • Instruction ID: 7cd045c9b8f196398d23f94ba58010557f508cd7b58f44c29b3e784ccbbfb847
                                        • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                        • Instruction Fuzzy Hash: 44A14532A106049FDF19AF68DC657BE3BA0EB06325F24015EEC11AB392D6398D1AC759
                                        Function 00450AA5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID: \&G$\&G$`&G
                                        • API String ID: 269201875-253610517
                                        • Opcode ID: 4c79e0627c8f19053a14b01c9d065665146560bb3788e30f1103ba49badb8175
                                        • Instruction ID: 59c4f5d9f803fa3be21c2588ad204ea2c1e8261bb9e1a4607c4596bf86990b35
                                        • Opcode Fuzzy Hash: 4c79e0627c8f19053a14b01c9d065665146560bb3788e30f1103ba49badb8175
                                        • Instruction Fuzzy Hash: 86610E75900205AFDB21DF69C842B9ABBF4EF06710F24426BED44EB242E774AD45CB58
                                        Function 00414BEB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 65535$udp
                                        • API String ID: 0-1267037602
                                        • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                        • Instruction ID: a9902b4e2b63063b067a15c036b171ad6d3a8658db747517b03e91dd9f9ead29
                                        • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                        • Instruction Fuzzy Hash: FB51D431605301ABDB609B14E905BFB77E8ABC5754F08042FF88597390E76CCCC1969E
                                        Function 0041697B Relevance: 17.5, APIs: 8, Strings: 2, Instructions: 46clipboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenClipboard.USER32 ref: 0041697C
                                        • EmptyClipboard.USER32 ref: 0041698A
                                        • CloseClipboard.USER32 ref: 00416990
                                        • OpenClipboard.USER32 ref: 00416997
                                        • GetClipboardData.USER32(0000000D), ref: 004169A7
                                        • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                        • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                        • CloseClipboard.USER32 ref: 004169BF
                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                        • String ID: !D@$xdF
                                        • API String ID: 2172192267-3540039394
                                        • Opcode ID: 0916ac08766f268bc748aa182f3e4d0b5c60d1c6def3acf1de95a0795d360f37
                                        • Instruction ID: c3dc955394dadbf9cb8fa72aed918e4e170398eafb94270add22466952777bd7
                                        • Opcode Fuzzy Hash: 0916ac08766f268bc748aa182f3e4d0b5c60d1c6def3acf1de95a0795d360f37
                                        • Instruction Fuzzy Hash: AA014C31204301EFC714BB72DC49AAE7BA5AF88742F40047EF906861E2DF388C45C659
                                        Function 0043A8BA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A912
                                        • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A91F
                                        • __dosmaperr.LIBCMT ref: 0043A926
                                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A952
                                        • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A95C
                                        • __dosmaperr.LIBCMT ref: 0043A963
                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A9A6
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A9B0
                                        • __dosmaperr.LIBCMT ref: 0043A9B7
                                        • _free.LIBCMT ref: 0043A9C3
                                        • _free.LIBCMT ref: 0043A9CA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                        • String ID:
                                        • API String ID: 2441525078-0
                                        • Opcode ID: 289d0842b92f941f4feb2be478b72c6b1387c4c53bdf58ebb9c1b022d59fa5b6
                                        • Instruction ID: 3a2165a63a30732921e8d6571a772c998230e0148124485b419b79488018c54b
                                        • Opcode Fuzzy Hash: 289d0842b92f941f4feb2be478b72c6b1387c4c53bdf58ebb9c1b022d59fa5b6
                                        • Instruction Fuzzy Hash: 8631D5B180420AFBDF01AFA5CC45EAF3B6CEF09324F11451AF950662A1DB38CD61DB66
                                        Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetEvent.KERNEL32(?,?), ref: 004054BF
                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                        • TranslateMessage.USER32(?), ref: 0040557E
                                        • DispatchMessageA.USER32(?), ref: 00405589
                                        • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                        • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                        • String ID: CloseChat$DisplayMessage$GetMessage
                                        • API String ID: 2956720200-749203953
                                        • Opcode ID: c169fda0156d4d4cd66ad22aedc816e36154925b5c0f60d04c95d765b92539fd
                                        • Instruction ID: d37e718accd843302ceacc2187c81124e04698433963f5de03abd71ab6b9016f
                                        • Opcode Fuzzy Hash: c169fda0156d4d4cd66ad22aedc816e36154925b5c0f60d04c95d765b92539fd
                                        • Instruction Fuzzy Hash: 39419071A04301ABCB14FB76DC5A86F37A9AB85704F40493EF516A31E1EF3C8905CB9A
                                        Function 00413D48 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 135registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D81
                                          • Part of subcall function 00413A90: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                          • Part of subcall function 00413A90: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                        • RegCloseKey.ADVAPI32(00000000,004660B4,004660B4,00466478,00466478,00000071), ref: 00413EEF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEnumInfoOpenQuerysend
                                        • String ID: (aF$,aF$xUG$xdF$NG$NG$TG
                                        • API String ID: 3114080316-4028018678
                                        • Opcode ID: 0cf4120cb72ce5ad768c2cdf519f821beb26049f542a20a1734b386146b4ead6
                                        • Instruction ID: 39136fa66a1b3d14a29046baa0c8a2124f92290552efa608aac098e6c3039c27
                                        • Opcode Fuzzy Hash: 0cf4120cb72ce5ad768c2cdf519f821beb26049f542a20a1734b386146b4ead6
                                        • Instruction Fuzzy Hash: 03419F316042005AC324F726D852AEF76A99FD1384F40883FF549671D2EF7C5949866E
                                        Function 00417D1A Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00417F67: __EH_prolog.LIBCMT ref: 00417F6C
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 00417E17
                                        • CloseHandle.KERNEL32(00000000), ref: 00417E20
                                        • DeleteFileA.KERNEL32(00000000), ref: 00417E2F
                                        • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DE3
                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                        • String ID: 0VG$0VG$<$@$Temp
                                        • API String ID: 1704390241-2575729100
                                        • Opcode ID: 80ffa916d59d600171d9ca3e34e0670cc9ac865161bbbc65e8436c0bee0f72cd
                                        • Instruction ID: 01f79aac078c9204ae4226344def03f9678a0966abb138ad227abf0e83d93267
                                        • Opcode Fuzzy Hash: 80ffa916d59d600171d9ca3e34e0670cc9ac865161bbbc65e8436c0bee0f72cd
                                        • Instruction Fuzzy Hash: 18417E319002099ACB14FB62DC56AEE7735AF00318F50417EF50A761E1EF7C5A8ACB99
                                        Function 00410E9C Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75COMMON
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 00410EA9
                                        • int.LIBCPMT ref: 00410EBC
                                          • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                          • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                        • std::_Facet_Register.LIBCPMT ref: 00410EFC
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00410F05
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00410F23
                                        • __Init_thread_footer.LIBCMT ref: 00410F64
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                        • String ID: ,kG$0kG$@!G
                                        • API String ID: 3815856325-312998898
                                        • Opcode ID: 234cc645e6f2b623d94fc8cb2d29f52bc734eee13d30ec18b0bfe81019bed365
                                        • Instruction ID: 6b7561e6e5701aa818233467e21ea388c72e3112cb5a37ed7db11c94fdfc7bf8
                                        • Opcode Fuzzy Hash: 234cc645e6f2b623d94fc8cb2d29f52bc734eee13d30ec18b0bfe81019bed365
                                        • Instruction Fuzzy Hash: 682129329005249BCB14FB6AD8429DE77A9DF48324F21416FF404E72D1DFB9AD818B9D
                                        Function 0041AB9E Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABAD
                                        • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABC4
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABD1
                                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABE0
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF1
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ControlManager
                                        • String ID:
                                        • API String ID: 221034970-0
                                        • Opcode ID: 096e2c87fc6c65f47e4c6c752a7259066b900e282f660f6c8049b8ab8b72f741
                                        • Instruction ID: a7ddf6af562b27afc3fdb57d9320cc893b1711f81dd6882f7bac22400d97ef93
                                        • Opcode Fuzzy Hash: 096e2c87fc6c65f47e4c6c752a7259066b900e282f660f6c8049b8ab8b72f741
                                        • Instruction Fuzzy Hash: 1411E931501218BFD711AF64DC85CFF3B6CDB41B66B000426FA0692191EB689D46AAFA
                                        Function 004481A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 004481B5
                                          • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                          • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                        • _free.LIBCMT ref: 004481C1
                                        • _free.LIBCMT ref: 004481CC
                                        • _free.LIBCMT ref: 004481D7
                                        • _free.LIBCMT ref: 004481E2
                                        • _free.LIBCMT ref: 004481ED
                                        • _free.LIBCMT ref: 004481F8
                                        • _free.LIBCMT ref: 00448203
                                        • _free.LIBCMT ref: 0044820E
                                        • _free.LIBCMT ref: 0044821C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                        • Instruction ID: 68a5115f29dd4dda1e04096f5587add38bc33a27c3b2fba9646c6a67a64c999e
                                        • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                        • Instruction Fuzzy Hash: AA11E9B6901108BFDB01FF55C852CDD3B65FF05354B0244AAF9488F222DB75DE509B95
                                        Function 0041C720 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 214registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C742
                                        • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C786
                                        • RegCloseKey.ADVAPI32(?), ref: 0041CA50
                                        Strings
                                        • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041C738
                                        • DisplayName, xrefs: 0041C7CD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEnumOpen
                                        • String ID: DisplayName$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                        • API String ID: 1332880857-3614651759
                                        • Opcode ID: 0758d2217d4cdf4be18b27332201ce298183b926a753a4e26667fde6bb3e7a3c
                                        • Instruction ID: 8204223968f620e226549da85b9b34a309c849e8d9bbed411749b7727356edba
                                        • Opcode Fuzzy Hash: 0758d2217d4cdf4be18b27332201ce298183b926a753a4e26667fde6bb3e7a3c
                                        • Instruction Fuzzy Hash: 3E8133311082459BC325EF11D851EEFB7E8BF94309F10492FB589921A2FF74AE49CA5A
                                        Function 00411530 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Eventinet_ntoa
                                        • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                        • API String ID: 3578746661-3604713145
                                        • Opcode ID: a77d47271dc343d34bbee68d757bbcc928c929ff734791c6900b147cae5cbd3f
                                        • Instruction ID: 5b49fc9f60f15aadef5e91219dcc0d557585a55aed20fbc46105045b647f8dc0
                                        • Opcode Fuzzy Hash: a77d47271dc343d34bbee68d757bbcc928c929ff734791c6900b147cae5cbd3f
                                        • Instruction Fuzzy Hash: 5351D531A042015BC714FB36D95AAAE36A5AB84344F40453FFA06676F2EF7C8985C7CE
                                        Function 004174D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417530
                                          • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                        • Sleep.KERNEL32(00000064), ref: 0041755C
                                        • DeleteFileW.KERNEL32(00000000), ref: 00417590
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CreateDeleteExecuteShellSleep
                                        • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                        • API String ID: 1462127192-2001430897
                                        • Opcode ID: 74e705e902443d92e757842fd98a6aa38e7ce8337cfacc1c2ca4f7e1e99f0fa5
                                        • Instruction ID: 6598d36db715e58345e35b35962d03aab6dacf30af49f41f33489dbeb2d48940
                                        • Opcode Fuzzy Hash: 74e705e902443d92e757842fd98a6aa38e7ce8337cfacc1c2ca4f7e1e99f0fa5
                                        • Instruction Fuzzy Hash: 17313F71940119AADB04FB61DC96DED7735AF50309F00017EF606731E2EF785A8ACA9C
                                        Function 004073E7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 00407418
                                        • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407691,C:\Users\user\Desktop\ZZ.exe), ref: 004074D9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CurrentProcess
                                        • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                        • API String ID: 2050909247-4242073005
                                        • Opcode ID: c959bd930998c8f390064940774d0a1512e2843fb7eeb626fe9b06c6253c3d56
                                        • Instruction ID: c8d37550e6f1e63eabf3c93e4c9511e0cbcdb01d3c289a22ccdf2b55afca88d7
                                        • Opcode Fuzzy Hash: c959bd930998c8f390064940774d0a1512e2843fb7eeb626fe9b06c6253c3d56
                                        • Instruction Fuzzy Hash: DE317EB1A44300ABD314EF65DD46F1677B8BB04705F10087EF509A6692EBB8B8458B6F
                                        Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                        Download Yara Rule
                                        APIs
                                        • _strftime.LIBCMT ref: 00401D50
                                          • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                        • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                                        • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                        • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                        • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                        • API String ID: 3809562944-243156785
                                        • Opcode ID: 272d9e95f202b5b87e8d6f02197a65f7d4795c5aee8df22827821352ca84ba3d
                                        • Instruction ID: 12771182903f202c4b9d99511a6abf0f0559d076e6e3c56183b1657b5f9df8bc
                                        • Opcode Fuzzy Hash: 272d9e95f202b5b87e8d6f02197a65f7d4795c5aee8df22827821352ca84ba3d
                                        • Instruction Fuzzy Hash: AA318F315043019FC324EB22DC56A9E77A8FB84315F40443EF189A21F2EFB89A49CB5E
                                        Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                        • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                                        • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                        • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                        • waveInStart.WINMM ref: 00401CFE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                        • String ID: dMG$|MG$PG
                                        • API String ID: 1356121797-532278878
                                        • Opcode ID: 6aa69cd6a01d0fe2356010249b9bd36d42245e4d7c734ee1dd99acc2b44a8f66
                                        • Instruction ID: 1e392cdedf79dd274444ae0cc0b76d6cc185fd36309c60cea9b16e967c73269b
                                        • Opcode Fuzzy Hash: 6aa69cd6a01d0fe2356010249b9bd36d42245e4d7c734ee1dd99acc2b44a8f66
                                        • Instruction Fuzzy Hash: 51212A71604201AFC7399F66EE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                        Function 0041D4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D507
                                          • Part of subcall function 0041D5A0: RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                          • Part of subcall function 0041D5A0: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                          • Part of subcall function 0041D5A0: GetLastError.KERNEL32 ref: 0041D611
                                        • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D53E
                                        • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D558
                                        • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D56E
                                        • TranslateMessage.USER32(?), ref: 0041D57A
                                        • DispatchMessageA.USER32(?), ref: 0041D584
                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D591
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                        • String ID: Remcos
                                        • API String ID: 1970332568-165870891
                                        • Opcode ID: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                        • Instruction ID: 0a96d410cd687733bc2db9baaca44b2a156926270a6f860d3af68fdb0bcdced8
                                        • Opcode Fuzzy Hash: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                        • Instruction Fuzzy Hash: CA0152B1840244EBD7109FA5EC4CFABBB7CEBC5705F00406AF515931A1D778D885CB58
                                        Function 0041CE2C Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 48memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • AllocConsole.KERNEL32(`#l), ref: 0041CE35
                                        • GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                        • ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                        • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Console$Window$AllocOutputShow
                                        • String ID: Remcos v$5.1.2 Pro$CONOUT$$`#l
                                        • API String ID: 4067487056-2458988125
                                        • Opcode ID: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                        • Instruction ID: 6efa3de70d430de9448838496adf33c47162c0890a3ad1875f095e209401f165
                                        • Opcode Fuzzy Hash: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                        • Instruction Fuzzy Hash: A90144B1A80304BBD610F7F19C8BF9E77AC9B14B05F500527BA04A70D2EB6DD944466E
                                        Function 0044CE00 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ed6e8dde3cdd9862c5be3ded71a2773307dc59359bf90b76219a4653831d67c7
                                        • Instruction ID: c312da418a410335279f0cc1971bad4557be7deeadefc114a47e367d78dfde09
                                        • Opcode Fuzzy Hash: ed6e8dde3cdd9862c5be3ded71a2773307dc59359bf90b76219a4653831d67c7
                                        • Instruction Fuzzy Hash: 94C1FA70D04249AFEF11DFA8CC41BAE7BB0AF09304F19415AE915A7392C77C9941CB69
                                        Function 00453E03 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,004540DC,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453EAF
                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F32
                                        • __alloca_probe_16.LIBCMT ref: 00453F6A
                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,004540DC,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FC5
                                        • __alloca_probe_16.LIBCMT ref: 00454014
                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FDC
                                          • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00454058
                                        • __freea.LIBCMT ref: 00454083
                                        • __freea.LIBCMT ref: 0045408F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                        • String ID:
                                        • API String ID: 201697637-0
                                        • Opcode ID: d666079201eac34123aff993431e960db56ae36dfd708acf9a18ada5241d4519
                                        • Instruction ID: 957693029e8655488503f3238c5b69ab87e72ad781d0cd1ca1c521277c14990f
                                        • Opcode Fuzzy Hash: d666079201eac34123aff993431e960db56ae36dfd708acf9a18ada5241d4519
                                        • Instruction Fuzzy Hash: 2B91D472E002069BDB208E65C846EEFBBF59F49756F14051BED00EB282D73DCD898769
                                        Function 004451FA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                          • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                        • _memcmp.LIBVCRUNTIME ref: 004454A4
                                        • _free.LIBCMT ref: 00445515
                                        • _free.LIBCMT ref: 0044552E
                                        • _free.LIBCMT ref: 00445560
                                        • _free.LIBCMT ref: 00445569
                                        • _free.LIBCMT ref: 00445575
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorLast$_abort_memcmp
                                        • String ID: C
                                        • API String ID: 1679612858-1037565863
                                        • Opcode ID: 270cf3bb6288f401d2b81aec4bec5e705b2579f2f1b63f3c4bd6d63e951100ee
                                        • Instruction ID: c5fa7cd4a0def74fccfc383a36f0c71fd12082b8797d706f49daa7c6421ebafc
                                        • Opcode Fuzzy Hash: 270cf3bb6288f401d2b81aec4bec5e705b2579f2f1b63f3c4bd6d63e951100ee
                                        • Instruction Fuzzy Hash: D4B13775A016199FEB24DF18C885BAEB7B4FF48304F5085EAE809A7351E774AE90CF44
                                        Function 00414945 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: tcp$udp
                                        • API String ID: 0-3725065008
                                        • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                        • Instruction ID: 4fb2fbaa1818e082f2863e0a7c91e4ace7fe62ed23b491eff3584b955907a2f3
                                        • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                        • Instruction Fuzzy Hash: FC7197706083028FDB248F55D4817ABB7E4AFC8355F20482FF88697351E778DE858B9A
                                        Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 004018BE
                                        • ExitThread.KERNEL32 ref: 004018F6
                                        • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                                          • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                        • String ID: PkG$XMG$NG$NG
                                        • API String ID: 1649129571-3151166067
                                        • Opcode ID: 04c6230229ba03dc03dd42187752d24fce62bcfb967b9c5647b680e770e32543
                                        • Instruction ID: 94ec9d015e3317cd6a1a8c0f3f0e5257b1b149af30ff9c9aaa6ade548e88cebb
                                        • Opcode Fuzzy Hash: 04c6230229ba03dc03dd42187752d24fce62bcfb967b9c5647b680e770e32543
                                        • Instruction Fuzzy Hash: 7441D5312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D4AC71D
                                        Function 0040799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FB4,?,00000000,00408037,00000000), ref: 00407A00
                                        • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A48
                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                        • CloseHandle.KERNEL32(00000000,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A88
                                        • MoveFileW.KERNEL32(00000000,00000000), ref: 00407AA5
                                        • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AD0
                                        • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AE0
                                          • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
                                          • Part of subcall function 00404B96: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                        • String ID: .part
                                        • API String ID: 1303771098-3499674018
                                        • Opcode ID: 3afc2f85f810e2c46033f561f8352aaa8f531af2af3959b11cfb50950e871b37
                                        • Instruction ID: fa021c15c5d1e87e569c09a19ead990ccf19330fc060556597d24b4305e87d8f
                                        • Opcode Fuzzy Hash: 3afc2f85f810e2c46033f561f8352aaa8f531af2af3959b11cfb50950e871b37
                                        • Instruction Fuzzy Hash: 3A31B571508345AFC310EB61D84599FB3A8FF94359F00493FB945A21D2EB78EE08CB9A
                                        Function 0044ACC9 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044AD23
                                        • __alloca_probe_16.LIBCMT ref: 0044AD5B
                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044ADA9
                                        • __alloca_probe_16.LIBCMT ref: 0044AE40
                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AEA3
                                        • __freea.LIBCMT ref: 0044AEB0
                                          • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                        • __freea.LIBCMT ref: 0044AEB9
                                        • __freea.LIBCMT ref: 0044AEDE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                        • String ID:
                                        • API String ID: 3864826663-0
                                        • Opcode ID: b8cd4310d0de59be5354cf63c717d249675af8b9c8b383ed5ef79fab109b86d3
                                        • Instruction ID: de232b2c18f644b0009b05ef7aad101f1c584e700cc6948cb3d999d9ae9be8cc
                                        • Opcode Fuzzy Hash: b8cd4310d0de59be5354cf63c717d249675af8b9c8b383ed5ef79fab109b86d3
                                        • Instruction Fuzzy Hash: 41514C72A80206AFFB258F64CC41EBF77A9DB44750F25462EFC14D7240EB38DC60869A
                                        Function 004199DB Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendInput.USER32 ref: 00419A25
                                        • SendInput.USER32(00000001,?,0000001C,00000000), ref: 00419A4D
                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A74
                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A92
                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AB2
                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AD7
                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AF9
                                        • SendInput.USER32(00000001,00000000,0000001C), ref: 00419B1C
                                          • Part of subcall function 004199CE: MapVirtualKeyA.USER32(00000000,00000000), ref: 004199D4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: InputSend$Virtual
                                        • String ID:
                                        • API String ID: 1167301434-0
                                        • Opcode ID: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                        • Instruction ID: b6cba15de7ba168fc32b54cb564de1fb898aed6d56f2455a0f9f7e0387a20004
                                        • Opcode Fuzzy Hash: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                        • Instruction Fuzzy Hash: 2431AE71218349A9E220DFA5DC41BDFBBECAF89B44F04080FF58457291CAA49D8C876B
                                        Function 004475F1 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __freea$__alloca_probe_16_free
                                        • String ID: a/p$am/pm$h{D
                                        • API String ID: 2936374016-2303565833
                                        • Opcode ID: 3f6e07506486b6d7dbef2a606a64f0e75de21b8703f606ba4f5b284e1050ed44
                                        • Instruction ID: c225e1f32c331ede1d29eb10815d0f52c76e58365e66366979e06629ded2ae5c
                                        • Opcode Fuzzy Hash: 3f6e07506486b6d7dbef2a606a64f0e75de21b8703f606ba4f5b284e1050ed44
                                        • Instruction Fuzzy Hash: 94D1E1719082068AFB299F68C845ABFB7B1EF05300F28455BE501AB351D73D9E43CBA9
                                        Function 00444D7C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                        • _free.LIBCMT ref: 00444E87
                                        • _free.LIBCMT ref: 00444E9E
                                        • _free.LIBCMT ref: 00444EBD
                                        • _free.LIBCMT ref: 00444ED8
                                        • _free.LIBCMT ref: 00444EEF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$AllocateHeap
                                        • String ID: KED
                                        • API String ID: 3033488037-2133951994
                                        • Opcode ID: dfa49ca82d32c8382211b9fb73ae343eb5cb7a7eabed5eea37687c7cf3770045
                                        • Instruction ID: 6eb5fd97c930506827bd935ec23fdf2bd7e2f8155051dcdfd38a61b70e77380a
                                        • Opcode Fuzzy Hash: dfa49ca82d32c8382211b9fb73ae343eb5cb7a7eabed5eea37687c7cf3770045
                                        • Instruction Fuzzy Hash: 2351B371A00604ABEB20DF29CC42B6B77F4FF89724B25456EE809D7751E739E901CB98
                                        Function 00413A90 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                        • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413BC6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Enum$InfoQueryValue
                                        • String ID: [regsplt]$xUG$TG
                                        • API String ID: 3554306468-1165877943
                                        • Opcode ID: 6129f07ca8e649aa684d27b9dba7dc75c53e511e8a381502f1a2dc1ed25c8145
                                        • Instruction ID: 25111a67c66830bda9a991cbd11294aa9b1843c944dfd5f4caafe5fa1545c2ae
                                        • Opcode Fuzzy Hash: 6129f07ca8e649aa684d27b9dba7dc75c53e511e8a381502f1a2dc1ed25c8145
                                        • Instruction Fuzzy Hash: 05512D71900219AADB11EB95DC86EEEB77DAF04305F10007AE505B6191EF746B48CBA9
                                        Function 0044B43C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044BBB1,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B47E
                                        • __fassign.LIBCMT ref: 0044B4F9
                                        • __fassign.LIBCMT ref: 0044B514
                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B53A
                                        • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BBB1,00000000,?,?,?,?,?,?,?,?,?,0044BBB1,?), ref: 0044B559
                                        • WriteFile.KERNEL32(?,?,00000001,0044BBB1,00000000,?,?,?,?,?,?,?,?,?,0044BBB1,?), ref: 0044B592
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                        • String ID:
                                        • API String ID: 1324828854-0
                                        • Opcode ID: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                        • Instruction ID: 262f0c9efa3d8d05c94b564727faad167cb6e35c827a04fe4b8fb241bd644287
                                        • Opcode Fuzzy Hash: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                        • Instruction Fuzzy Hash: 2151B470A00249AFDB10CFA8D845AEEFBF8EF09304F14456BE955E7291E734D941CBA9
                                        Function 0040BF24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                          • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                          • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                        • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BFA6
                                        • PathFileExistsA.SHLWAPI(?), ref: 0040BFB3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                        • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                        • API String ID: 1133728706-4073444585
                                        • Opcode ID: e02571ccf1d8d7642eb7522d4ecac0f64e4039cdab1393baceb5a006cb27889d
                                        • Instruction ID: a06d8339010b4a31413dea3cf8b7af81beee50618fccc2c871009a62ab4f9f33
                                        • Opcode Fuzzy Hash: e02571ccf1d8d7642eb7522d4ecac0f64e4039cdab1393baceb5a006cb27889d
                                        • Instruction Fuzzy Hash: BC215230A40219A6CB14F7F1CC969EE77299F50744F80017FE502B71D1EB7D6945C6DA
                                        Function 00456BD3 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3e1437a1f94eb298758500833f4fd37ec9f384a351c1712870bfe34c5990e753
                                        • Instruction ID: d4e598e7927038c57750db0ba161657e9615562456f8c919f0676739ef068bdb
                                        • Opcode Fuzzy Hash: 3e1437a1f94eb298758500833f4fd37ec9f384a351c1712870bfe34c5990e753
                                        • Instruction Fuzzy Hash: 931127B2504214BBEB216F768C05D1F7A5CEB86726B52062EFD55C7292DA3CCC0186A8
                                        Function 0041B411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B438
                                        • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B44E
                                        • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B467
                                        • InternetCloseHandle.WININET(00000000), ref: 0041B4AD
                                        • InternetCloseHandle.WININET(00000000), ref: 0041B4B0
                                        Strings
                                        • http://geoplugin.net/json.gp, xrefs: 0041B448
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$CloseHandleOpen$FileRead
                                        • String ID: http://geoplugin.net/json.gp
                                        • API String ID: 3121278467-91888290
                                        • Opcode ID: cc18b0f60563c6ad6f9a26d76095e6aabadcdc754726bec99fffa54df7cc8bd2
                                        • Instruction ID: e320c318363c88f1c040182635621d8729538b68a2f0080144892bf513bd3cc2
                                        • Opcode Fuzzy Hash: cc18b0f60563c6ad6f9a26d76095e6aabadcdc754726bec99fffa54df7cc8bd2
                                        • Instruction Fuzzy Hash: 011198311053126BD224AB269C49EBF7F9CEF86765F10043EF945A2282DB689C44C6FA
                                        Function 00450F7A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00450CC1: _free.LIBCMT ref: 00450CEA
                                        • _free.LIBCMT ref: 00450FC8
                                          • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                          • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                        • _free.LIBCMT ref: 00450FD3
                                        • _free.LIBCMT ref: 00450FDE
                                        • _free.LIBCMT ref: 00451032
                                        • _free.LIBCMT ref: 0045103D
                                        • _free.LIBCMT ref: 00451048
                                        • _free.LIBCMT ref: 00451053
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                        • Instruction ID: 345e916fd15b447c36d88a7a8914fd19e4c3e0710e9d23c2e9f19f8556552687
                                        • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                        • Instruction Fuzzy Hash: C111D231402704AAE621BB72CC03FCB779CAF03304F454D2EBEA967153C7ACB4185654
                                        Function 0041119E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 004111AB
                                        • int.LIBCPMT ref: 004111BE
                                          • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                          • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                        • std::_Facet_Register.LIBCPMT ref: 004111FE
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 00411207
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00411225
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                        • String ID: (mG
                                        • API String ID: 2536120697-4059303827
                                        • Opcode ID: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                                        • Instruction ID: b4facbf35e110c19f3eede998f69f9310dce987b63f856d60fe44c7d5fb17b17
                                        • Opcode Fuzzy Hash: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                                        • Instruction Fuzzy Hash: 42112732900114A7CB14EB9AD8018DEB7699F44364F11456FF904F72E1DB789E45CBC8
                                        Function 0043A3DA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,?,0043A3D1,0043933E), ref: 0043A3E8
                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A3F6
                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40F
                                        • SetLastError.KERNEL32(00000000,?,0043A3D1,0043933E), ref: 0043A461
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLastValue___vcrt_
                                        • String ID:
                                        • API String ID: 3852720340-0
                                        • Opcode ID: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                        • Instruction ID: 228fd8bb196f6ae1284969ba5442ea73dc67404c1df350b3d70410c0baad6fb0
                                        • Opcode Fuzzy Hash: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                        • Instruction Fuzzy Hash: 87019C322483515EA61027797C8A62B2648EB293B9F30523FF518805F1EF984C90910D
                                        Function 004075EB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                        Download Yara Rule
                                        APIs
                                        • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\ZZ.exe), ref: 0040760B
                                          • Part of subcall function 00407538: _wcslen.LIBCMT ref: 0040755C
                                          • Part of subcall function 00407538: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                        • CoUninitialize.OLE32 ref: 00407664
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: InitializeObjectUninitialize_wcslen
                                        • String ID: C:\Users\user\Desktop\ZZ.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                        • API String ID: 3851391207-3622418549
                                        • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                        • Instruction ID: e4e7d1672fbddd81374e29e92f863be8f9bad83f72bb7a306ddb251afa86686e
                                        • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                        • Instruction Fuzzy Hash: 4501D272B087116BE2246B65DC4AF6B3748DB41B25F11053FF901A62C1EAB9FC0146AB
                                        Function 0040BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BB18
                                        • GetLastError.KERNEL32 ref: 0040BB22
                                        Strings
                                        • UserProfile, xrefs: 0040BAE8
                                        • [Chrome Cookies not found], xrefs: 0040BB3C
                                        • [Chrome Cookies found, cleared!], xrefs: 0040BB48
                                        • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAE3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: DeleteErrorFileLast
                                        • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                        • API String ID: 2018770650-304995407
                                        • Opcode ID: 40cbd1d017226246a01c6e55be9682f761922b1e96e2188b9bd7b4daff8d9f2f
                                        • Instruction ID: 5dee569c6883bfd73109a670bb68234af0f28e4caad238985ba957b2c74b96e7
                                        • Opcode Fuzzy Hash: 40cbd1d017226246a01c6e55be9682f761922b1e96e2188b9bd7b4daff8d9f2f
                                        • Instruction Fuzzy Hash: 5B01DF71A402055BCA04B7B6CC1B9BE7B24E922704B50017FF502726D6FE3E5D0986CE
                                        Function 0040729B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: C:\Users\user\Desktop\ZZ.exe$Rmc-EIENFE$xdF
                                        • API String ID: 0-54130748
                                        • Opcode ID: 76fb36a6468107bc6bcf7edae7d85ad02bbabba37b75d9201cd6870646e6a122
                                        • Instruction ID: 5ffff352cfcc2e87221e4fa572a01d73507d198e899e6baa5594ec663d9dd15d
                                        • Opcode Fuzzy Hash: 76fb36a6468107bc6bcf7edae7d85ad02bbabba37b75d9201cd6870646e6a122
                                        • Instruction Fuzzy Hash: 8DF02BB0E04600EBCB1477345D296AA3656A780397F40487BF507EB2F2EBBD5C41871E
                                        Function 004440E8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 00444106
                                          • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                          • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                        • _free.LIBCMT ref: 00444118
                                        • _free.LIBCMT ref: 0044412B
                                        • _free.LIBCMT ref: 0044413C
                                        • _free.LIBCMT ref: 0044414D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID: 2m
                                        • API String ID: 776569668-977460488
                                        • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                        • Instruction ID: 0e9c2896d1a2baf17e4b980eca3efa8a556ca0a6e45d827b59e8921ed08f8926
                                        • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                        • Instruction Fuzzy Hash: 91F03AB18025208FA731AF2DBD528053BA1A705720356853BF40C62A71C7B849C2DFDF
                                        Function 0041AE51 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                        • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AE83
                                        • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE91
                                        • Sleep.KERNEL32(00002710), ref: 0041AE98
                                        • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AEA1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: PlaySound$HandleLocalModuleSleepTime
                                        • String ID: Alarm triggered$`Wu
                                        • API String ID: 614609389-1738255680
                                        • Opcode ID: 7392df8db2022c5dabbdd0a7ddbeb5ff2cdfd3fc416767bfd221d1b9e2b6ff7c
                                        • Instruction ID: 264e31dd7f8ae4a58c3cd97330858728e5483d82e525179ed11d996d756d41c5
                                        • Opcode Fuzzy Hash: 7392df8db2022c5dabbdd0a7ddbeb5ff2cdfd3fc416767bfd221d1b9e2b6ff7c
                                        • Instruction Fuzzy Hash: 3EE0D826A40220779A10337B6D0FD6F3D29CAC3B2570100BFFA05660C2DD540C01C6FB
                                        Function 0043AB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                        Download Yara Rule
                                        APIs
                                        • __allrem.LIBCMT ref: 0043ACE9
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD05
                                        • __allrem.LIBCMT ref: 0043AD1C
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD3A
                                        • __allrem.LIBCMT ref: 0043AD51
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD6F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                        • String ID:
                                        • API String ID: 1992179935-0
                                        • Opcode ID: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                        • Instruction ID: c7cd181284538591ee8af1586cca3d38175ba7b34bac8e5aa56d350f01832762
                                        • Opcode Fuzzy Hash: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                        • Instruction Fuzzy Hash: 5F815972A40B05ABE7209F29CC41B6FB3A99F48324F24152FF591D67C1E77CE910875A
                                        Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Sleep.KERNEL32(00000000,0040D29D), ref: 004044C4
                                          • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: H_prologSleep
                                        • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                        • API String ID: 3469354165-3054508432
                                        • Opcode ID: fef66e343663587799a4fb7e411b7be832f70b8e55665d4bb62892141d3c40a9
                                        • Instruction ID: df1e58e957a7578ae16e417911435538e3341edc64810737793f4aa4f8849b6c
                                        • Opcode Fuzzy Hash: fef66e343663587799a4fb7e411b7be832f70b8e55665d4bb62892141d3c40a9
                                        • Instruction Fuzzy Hash: A751E171A042106BCA14FB369D0A66E3755ABC4748F00443FFA0A676E2DF7D8E45839E
                                        Function 00411D39 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004117D7: SetLastError.KERNEL32(0000000D,00411D57,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 004117DD
                                        • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411D72
                                        • GetNativeSystemInfo.KERNEL32(?,0040D2DD,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411DE0
                                        • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411E04
                                          • Part of subcall function 00411CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CEE
                                        • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E4B
                                        • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E52
                                        • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F65
                                          • Part of subcall function 004120B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                                          • Part of subcall function 004120B2: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 00412129
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                        • String ID:
                                        • API String ID: 3950776272-0
                                        • Opcode ID: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                        • Instruction ID: da58ab861bd0a84ec3871346ef31e8b8814b9d9500880b3a3e1890ad13292c25
                                        • Opcode Fuzzy Hash: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                        • Instruction Fuzzy Hash: F761A270700611ABCB209F66C981BAA7BA5AF44704F14411AFF05877A2D77CE8C2CBD9
                                        Function 0044597A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __cftoe
                                        • String ID:
                                        • API String ID: 4189289331-0
                                        • Opcode ID: 8a4c5be280cb6c814f8e43a2c8dbee5c21d103d485289201cbd24c59527051e2
                                        • Instruction ID: b93b8478136607885b926496a305f1bfb884a7f6acf724e610c81469f19cb9e5
                                        • Opcode Fuzzy Hash: 8a4c5be280cb6c814f8e43a2c8dbee5c21d103d485289201cbd24c59527051e2
                                        • Instruction Fuzzy Hash: 2551FD72500605ABFF209B598C81EAF77A8EF45334F25421FF915A6293DB3DD900C66D
                                        Function 0041AD09 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD19
                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A41F,00000000), ref: 0041AD2D
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD3A
                                        • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD6F
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD81
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD84
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                        • String ID:
                                        • API String ID: 493672254-0
                                        • Opcode ID: 465ab7c2e076ec59a8d270df8ce72ad0174e5281a4bfe7e39c5caa5367581a5e
                                        • Instruction ID: 77e668261cf9ee2bd18e5a0e87596c089765e66a1be6d3c981f75cbf7ed2a716
                                        • Opcode Fuzzy Hash: 465ab7c2e076ec59a8d270df8ce72ad0174e5281a4bfe7e39c5caa5367581a5e
                                        • Instruction Fuzzy Hash: A7016D311462157AD6111B34AC4EFFB3B6CDB02772F10032BF625965D1DA68CE8195AB
                                        Function 00448295 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                        • _free.LIBCMT ref: 004482CC
                                        • _free.LIBCMT ref: 004482F4
                                        • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                        • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                        • _abort.LIBCMT ref: 00448313
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$_free$_abort
                                        • String ID:
                                        • API String ID: 3160817290-0
                                        • Opcode ID: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                        • Instruction ID: 8d34d3ffa9a8a5ca7629c839d325bdddc3ef58a145117f7ac1d0225592351e3a
                                        • Opcode Fuzzy Hash: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                        • Instruction Fuzzy Hash: 8EF0A435101B006BF611772A6C06B6F26599BD3B69F36042FFD18962D2EF6DCC42816D
                                        Function 0041AB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB46
                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB5A
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB67
                                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB76
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB88
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB8B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ControlManager
                                        • String ID:
                                        • API String ID: 221034970-0
                                        • Opcode ID: f94ae9c5674c9adfc346e263051d54d626d5e40d867c234dda8e9c50f9d09011
                                        • Instruction ID: 443f58cffa4f299642b313368f914f767bd977a6fac550f0ec2f38f013616b5a
                                        • Opcode Fuzzy Hash: f94ae9c5674c9adfc346e263051d54d626d5e40d867c234dda8e9c50f9d09011
                                        • Instruction Fuzzy Hash: E4F0F631541318BBD7116F259C49DFF3B6CDB45B62F000026FE0992192EB68DD4595F9
                                        Function 0041AC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC4A
                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC5E
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC6B
                                        • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC7A
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8C
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ControlManager
                                        • String ID:
                                        • API String ID: 221034970-0
                                        • Opcode ID: 497ef82d1474d54709910eeaca97da118b40a23fe9dfeecc14ddd5be20b51566
                                        • Instruction ID: 80b71cf000cc834045a6d48b23744411b71cc7e49355023a2f572df053a73ec4
                                        • Opcode Fuzzy Hash: 497ef82d1474d54709910eeaca97da118b40a23fe9dfeecc14ddd5be20b51566
                                        • Instruction Fuzzy Hash: 73F0C231501218ABD611AF65AC4AEFF3B6CDB45B62F00002AFE0992192EB38CD4595E9
                                        Function 0041ACA2 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACB1
                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACC5
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACD2
                                        • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACE1
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF3
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ControlManager
                                        • String ID:
                                        • API String ID: 221034970-0
                                        • Opcode ID: cf41fc214d4f8651c842d323f4a9434d7ee1c2a315675ff23975f89e6a089888
                                        • Instruction ID: 4c72e2560426042a93d841201029be6eaa37955ba2c7d49e75f16ae618c5df44
                                        • Opcode Fuzzy Hash: cf41fc214d4f8651c842d323f4a9434d7ee1c2a315675ff23975f89e6a089888
                                        • Instruction Fuzzy Hash: 85F0F631501228BBD7116F25AC49DFF3B6CDB45B62F00002AFE0992192EB38CD46A6F9
                                        Function 00415B25 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 163COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CountEventTick
                                        • String ID: !D@$,aF$NG
                                        • API String ID: 180926312-2771706352
                                        • Opcode ID: 8d1923479cacbc34f83a544ec5835a1411f1c8a0dee8a7d2746b66dcfc5bfbac
                                        • Instruction ID: 3ac9408315e1e6036cedb879f74fb80cbd33a95067926c5a5f9e9f7d680cff10
                                        • Opcode Fuzzy Hash: 8d1923479cacbc34f83a544ec5835a1411f1c8a0dee8a7d2746b66dcfc5bfbac
                                        • Instruction Fuzzy Hash: 3E51A5315082019AC724FB32D852AFF73A5AF94304F50483FF54A671E2EF3C5945C68A
                                        Function 004434D5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\ZZ.exe,00000104), ref: 00443515
                                        • _free.LIBCMT ref: 004435E0
                                        • _free.LIBCMT ref: 004435EA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$FileModuleName
                                        • String ID: 0&k$C:\Users\user\Desktop\ZZ.exe
                                        • API String ID: 2506810119-370602580
                                        • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                        • Instruction ID: e5efe6401a3e5f1db0e1141fbbc5a3d1caea7301f6195c2e8eaff0a3f5655f7e
                                        • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                        • Instruction Fuzzy Hash: D63193B1A00254BFEB21DF9A998199EBBF8EB84B15F10406BF40597311D6B88F41CB99
                                        Function 0041B71B Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 91COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00413656: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 00413678
                                          • Part of subcall function 00413656: RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                          • Part of subcall function 00413656: RegCloseKey.ADVAPI32(?), ref: 004136A0
                                          • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                          • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                        • _wcslen.LIBCMT ref: 0041B7F4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                        • String ID: .exe$http\shell\open\command$program files (x86)\$program files\
                                        • API String ID: 3286818993-4246244872
                                        • Opcode ID: 21ce8c3951ea68e9f4768855c246d238a69c4de2a44f28aaa4944944c55ea733
                                        • Instruction ID: 00334f857bbe6022557327a28fa8f115e820bd32ca6b34e50ab8c41aa79dd428
                                        • Opcode Fuzzy Hash: 21ce8c3951ea68e9f4768855c246d238a69c4de2a44f28aaa4944944c55ea733
                                        • Instruction Fuzzy Hash: 42218872A001046BDB14BAB59CD6AFE766D9B48728F10043FF505B72C3EE3C9D49426D
                                        Function 0041D5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                        • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                        • GetLastError.KERNEL32 ref: 0041D611
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ClassCreateErrorLastRegisterWindow
                                        • String ID: 0$MsgWindowClass
                                        • API String ID: 2877667751-2410386613
                                        • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                        • Instruction ID: e808ecd18ef19f47bd472c0c6462b34ef8490c58390ad3ae495a6aa035ed2a4b
                                        • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                        • Instruction Fuzzy Hash: 1F0125B1D00219ABDB00DFA5EC849EFBBBCEA08355F40453AF914A6241EB7589058AA4
                                        Function 00407790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004077D6
                                        • CloseHandle.KERNEL32(?), ref: 004077E5
                                        • CloseHandle.KERNEL32(?), ref: 004077EA
                                        Strings
                                        • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004077CC
                                        • C:\Windows\System32\cmd.exe, xrefs: 004077D1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseHandle$CreateProcess
                                        • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                        • API String ID: 2922976086-4183131282
                                        • Opcode ID: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                        • Instruction ID: 1887ccd63cb29ce90d3c4a9dee080bc6fb52b3336ad705aa4023eed0db3a7680
                                        • Opcode Fuzzy Hash: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                        • Instruction Fuzzy Hash: 04F09672D4029C76CB20ABD7AC0EEDF7F3CEBC5B11F00051AF904A2045DA745400CAB5
                                        Function 004433DA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 004433FA
                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044340D
                                        • FreeLibrary.KERNEL32(00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 00443430
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressFreeHandleLibraryModuleProc
                                        • String ID: CorExitProcess$mscoree.dll
                                        • API String ID: 4061214504-1276376045
                                        • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                        • Instruction ID: d7bd46dfab834bb5d48edea7818df211002af85bf4a2e706b61bd78119be3437
                                        • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                        • Instruction Fuzzy Hash: 4EF04931900208FBDB159F65DC45B9EBF74EF04753F0040A5F805A2251DB758E40CA99
                                        Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405140
                                          • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                        • String ID: KeepAlive | Disabled
                                        • API String ID: 2993684571-305739064
                                        • Opcode ID: 79b17cb61ca097f2dd87540d91e49b40a86234966918d688794a6c742f2a43ed
                                        • Instruction ID: dc79248355977efa3495ea8e96f68553e1f2867eb32bbe7dc6984d352a193ca4
                                        • Opcode Fuzzy Hash: 79b17cb61ca097f2dd87540d91e49b40a86234966918d688794a6c742f2a43ed
                                        • Instruction Fuzzy Hash: 5DF06D71904711BBDB203B758D0AAAB7E95AB06315F0009BEF982916E2D6798C408F9A
                                        Function 0041CDE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CE7E), ref: 0041CDF3
                                        • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE00
                                        • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CE7E), ref: 0041CE0D
                                        • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE20
                                        Strings
                                        • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CE13
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Console$AttributeText$BufferHandleInfoScreen
                                        • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                        • API String ID: 3024135584-2418719853
                                        • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                        • Instruction ID: 3099d3b49c49d1df3d44327ff87017ee7d1b0803ff7cdb2815dc6b7c28d9377e
                                        • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                        • Instruction Fuzzy Hash: B6E04872504315E7E31027B5EC4DCAB7B7CE745613B100266FA16915D39A749C41C6B5
                                        Function 004413EA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                        • Instruction ID: 15e211ccade7fc2a5debfa8ad78d9bfa955d5b29a73147504924d067d3782226
                                        • Opcode Fuzzy Hash: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                        • Instruction Fuzzy Hash: 2771D4319012569BEB21CF55C884AFFBB75EF55310F19412BE815672A0DB78CCC1CBA8
                                        Function 004493E5 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                        • _free.LIBCMT ref: 0044943D
                                          • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                          • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                        • _free.LIBCMT ref: 00449609
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                        • String ID:
                                        • API String ID: 1286116820-0
                                        • Opcode ID: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                        • Instruction ID: 45cf5ea20785abb2a7eec221213eb08c1b8584214e6df16efc40294c4842d026
                                        • Opcode Fuzzy Hash: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                        • Instruction Fuzzy Hash: 1B51EC71900205ABEB14EF69DD819AFB7B8EF44724F20066FE418D3291EB789D41DB58
                                        Function 0040F938 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                          • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F956
                                        • Process32FirstW.KERNEL32(00000000,?), ref: 0040F97A
                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F989
                                        • CloseHandle.KERNEL32(00000000), ref: 0040FB40
                                          • Part of subcall function 0041C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F634,00000000,?,?,`#l), ref: 0041C08B
                                          • Part of subcall function 0041C076: IsWow64Process.KERNEL32(00000000,?,?,?,`#l), ref: 0041C096
                                          • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                          • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FB31
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                        • String ID:
                                        • API String ID: 2180151492-0
                                        • Opcode ID: b612a60f51ba30386d7e6c27c988ec9eea2298f46b4f956bf04d12ed4463d939
                                        • Instruction ID: d02cab962e177bd28921c4f9a71df23b762ba7d31cecf8da060328e0f3db66c6
                                        • Opcode Fuzzy Hash: b612a60f51ba30386d7e6c27c988ec9eea2298f46b4f956bf04d12ed4463d939
                                        • Instruction Fuzzy Hash: 5F4136311083419BC325F722DC51AEFB3A5AF94305F50493EF58A921E2EF385A49C65A
                                        Function 00443E99 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                        • Instruction ID: bbec49e9ccdd5c2af131aecc9b6810ea24321c3eb42f74c08fbdd36582e243a3
                                        • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                        • Instruction Fuzzy Hash: 5F41E232E00200AFEB14DF78C881A5EB3B5EF89B18F1545AEE915EB351D735AE05CB84
                                        Function 004511AC Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92), ref: 004511F9
                                        • __alloca_probe_16.LIBCMT ref: 00451231
                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?), ref: 00451282
                                        • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?,00000002,00000000), ref: 00451294
                                        • __freea.LIBCMT ref: 0045129D
                                          • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                        • String ID:
                                        • API String ID: 313313983-0
                                        • Opcode ID: 695a5f3fdf384fa9d4863fe56c7c43b71593cfbe7e8d533d6dff3d4dffab5c55
                                        • Instruction ID: f723c28c07ecd650b398e20bb728631ced1c531215915adb10fa1f31571a6cea
                                        • Opcode Fuzzy Hash: 695a5f3fdf384fa9d4863fe56c7c43b71593cfbe7e8d533d6dff3d4dffab5c55
                                        • Instruction Fuzzy Hash: F7310331A0020AABDF249F65DC41EAF7BA5EB04701F0445AAFC08E72A2E739CC55CB94
                                        Function 0044F3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E3
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F406
                                          • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F42C
                                        • _free.LIBCMT ref: 0044F43F
                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F44E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                        • String ID:
                                        • API String ID: 336800556-0
                                        • Opcode ID: 5a321bf6ad982bb41f22afd847bffa7b7f2aa598f804dd442cdb837d811de21f
                                        • Instruction ID: b6d7bf627ac8e1e23e8e90154f8049d5dc13ee9613ce4caf203d647ba434722a
                                        • Opcode Fuzzy Hash: 5a321bf6ad982bb41f22afd847bffa7b7f2aa598f804dd442cdb837d811de21f
                                        • Instruction Fuzzy Hash: 2401DF72602721BF37211ABB5C8DC7F6AACDEC6FA5355013AFD04D2202DE688D0691B9
                                        Function 00448319 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,00000000,00000000,0043BCD6,00000000,00000000,?,0043BD5A,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044831E
                                        • _free.LIBCMT ref: 00448353
                                        • _free.LIBCMT ref: 0044837A
                                        • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448387
                                        • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448390
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$_free
                                        • String ID:
                                        • API String ID: 3170660625-0
                                        • Opcode ID: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                        • Instruction ID: 5af5a014564f127a9d6b3613d5887cb4baea3ca98ff5bc54bcf39f1731b7af1a
                                        • Opcode Fuzzy Hash: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                        • Instruction Fuzzy Hash: 3401F936100B006BB7117A2A5C45E6F3259DBD2B75B35093FFD1892292EF7ECC02812D
                                        Function 0041C26E Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                        • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                        • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C2B9
                                        • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2C4
                                        • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2CC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CloseHandleOpen$FileImageName
                                        • String ID:
                                        • API String ID: 2951400881-0
                                        • Opcode ID: e1074fac5642d3b73ea46f905cbac139ffb473db2c7b30d838fbef5372722d9f
                                        • Instruction ID: 82f86893bb8475317186349f6084970b7a3011258d8579340058f5d8518f4318
                                        • Opcode Fuzzy Hash: e1074fac5642d3b73ea46f905cbac139ffb473db2c7b30d838fbef5372722d9f
                                        • Instruction Fuzzy Hash: 9C01F231680215ABD61066949C8AFA7B66C8B84756F0001ABFA08D22A2EF74CD81466A
                                        Function 00450A3C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 00450A54
                                          • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                          • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                        • _free.LIBCMT ref: 00450A66
                                        • _free.LIBCMT ref: 00450A78
                                        • _free.LIBCMT ref: 00450A8A
                                        • _free.LIBCMT ref: 00450A9C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                        • Instruction ID: 72fff71e7c38304dd33e0b5962bcef44c8ad6e5fbb3f6de42623dcf71f8de19c
                                        • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                        • Instruction Fuzzy Hash: F7F012765053006B9620EB5DE883C1773D9EA157117A68C1BF549DB652C778FCC0866C
                                        Function 0044E769 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                        Download Yara Rule
                                        APIs
                                        • _strpbrk.LIBCMT ref: 0044E7B8
                                        • _free.LIBCMT ref: 0044E8D5
                                          • Part of subcall function 0043BD68: IsProcessorFeaturePresent.KERNEL32(00000017,0043BD3A,00405103,?,00000000,00000000,004020A6,00000000,00000000,?,0043BD5A,00000000,00000000,00000000,00000000,00000000), ref: 0043BD6A
                                          • Part of subcall function 0043BD68: GetCurrentProcess.KERNEL32(C0000417,?,00405103), ref: 0043BD8C
                                          • Part of subcall function 0043BD68: TerminateProcess.KERNEL32(00000000,?,00405103), ref: 0043BD93
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                        • String ID: *?$.
                                        • API String ID: 2812119850-3972193922
                                        • Opcode ID: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                        • Instruction ID: bbc13fc8ee10fdca904a4e9292213e09ebfa005f106ef5a16faeda3ce4fd08f7
                                        • Opcode Fuzzy Hash: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                        • Instruction Fuzzy Hash: C251B175E00209AFEF14DFAAC881AAEF7B5FF58314F24416EE844E7341E6399A018B54
                                        Function 00409EDE Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyboardLayoutNameA.USER32(?), ref: 00409F0E
                                          • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                          • Part of subcall function 0041C5A6: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F96,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C5BB
                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateFileKeyboardLayoutNameconnectsend
                                        • String ID: XQG$NG$PG
                                        • API String ID: 1634807452-3565412412
                                        • Opcode ID: ff509887c0297cf051371caae340bc63612711fcf8e22fa12d419fcf8622d445
                                        • Instruction ID: 86122f73fea86c9dce3a8c8dcd7d10d1556e7c038dfd98f63e082762e027ad1b
                                        • Opcode Fuzzy Hash: ff509887c0297cf051371caae340bc63612711fcf8e22fa12d419fcf8622d445
                                        • Instruction Fuzzy Hash: 955120315082419BC328FB32D851AEFB3E5AFD4348F50493FF54AA71E2EF78594A8649
                                        Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                          • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,75573530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                          • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                          • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                          • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                        • Sleep.KERNEL32(000000FA,00465E84), ref: 00404138
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                        • String ID: /sort "Visit Time" /stext "$0NG
                                        • API String ID: 368326130-3219657780
                                        • Opcode ID: 19a75f4089cd682c196d93085774e8610958794b4b53e2c59ee42357a682b9a9
                                        • Instruction ID: 7a7c83aa22bf4ff3424ba87d95d637a61540eed1193ecfb54830ab602693969f
                                        • Opcode Fuzzy Hash: 19a75f4089cd682c196d93085774e8610958794b4b53e2c59ee42357a682b9a9
                                        • Instruction Fuzzy Hash: 2C316371A0011956CB15FBA6DC569ED7375AF90308F00007FF60AB71E2EF785D49CA99
                                        Function 0044EFD8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                          • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                          • Part of subcall function 0044F0F7: _abort.LIBCMT ref: 0044F129
                                          • Part of subcall function 0044F0F7: _free.LIBCMT ref: 0044F15D
                                          • Part of subcall function 0044ED6C: GetOEMCP.KERNEL32(00000000,?,?,0044EFF5,?), ref: 0044ED97
                                        • _free.LIBCMT ref: 0044F050
                                        • _free.LIBCMT ref: 0044F086
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorLast_abort
                                        • String ID: 2m$2m
                                        • API String ID: 2991157371-1414006243
                                        • Opcode ID: b0ee2aee4096bb997892b4dec28a89a25a1db6387992807ccb6f750b77acbdfb
                                        • Instruction ID: a9f826519387c1ac895116d2974c89b4af6d1f604a138ae73dd4863203302c4b
                                        • Opcode Fuzzy Hash: b0ee2aee4096bb997892b4dec28a89a25a1db6387992807ccb6f750b77acbdfb
                                        • Instruction Fuzzy Hash: 2D31D371900104AFEB10EB69D441B9A77F4EF81325F2540AFE5049B2A3DB7A5D44CB58
                                        Function 0040B783 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                        • __Init_thread_footer.LIBCMT ref: 0040B7D2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Init_thread_footer__onexit
                                        • String ID: [End of clipboard]$[Text copied to clipboard]$xdF
                                        • API String ID: 1881088180-1310280921
                                        • Opcode ID: 817b4c01eafabb62cefe08f25f435df96e29b2123a05dda1d2c5d8970e98f987
                                        • Instruction ID: 844f446031992ee5170c212df839aebd4a436c67f2956c9e8fe8aff684c3a130
                                        • Opcode Fuzzy Hash: 817b4c01eafabb62cefe08f25f435df96e29b2123a05dda1d2c5d8970e98f987
                                        • Instruction Fuzzy Hash: 30217131A102198ACB14FBA6D8929EDB375AF54318F10443FE505771D2EF786D4ACA8C
                                        Function 0041631F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 00416330
                                          • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                          • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                          • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                          • Part of subcall function 00409E1F: _wcslen.LIBCMT ref: 00409E38
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _wcslen$CloseCreateValue
                                        • String ID: !D@$okmode$PG
                                        • API String ID: 3411444782-3370592832
                                        • Opcode ID: 32b767abda9d74a658984582e830535edcfbd4fa180c3dcb91f0b96cbdeabe52
                                        • Instruction ID: 097cdf197a66b89fefcd85ce8a19d7acc75244c7017ebd4eb32b8c3ef24b572d
                                        • Opcode Fuzzy Hash: 32b767abda9d74a658984582e830535edcfbd4fa180c3dcb91f0b96cbdeabe52
                                        • Instruction Fuzzy Hash: 1E11A571B442011BDA187B32D862BBD22969F84348F80843FF546AF2E2DFBD4C51975D
                                        Function 0040C627 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040C4FE: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0040C658
                                        • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C6C3
                                        Strings
                                        • User Data\Profile ?\Network\Cookies, xrefs: 0040C670
                                        • User Data\Default\Network\Cookies, xrefs: 0040C63E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExistsFilePath
                                        • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                        • API String ID: 1174141254-1980882731
                                        • Opcode ID: 2a38480921e4d6be1d5b2529be3b715cdf247bf3a0a1df31f1585b54042120b5
                                        • Instruction ID: a3c4a2fc075df05cc4efb8d324c4514c6f5a9a9113215be8183f294a60e8cc46
                                        • Opcode Fuzzy Hash: 2a38480921e4d6be1d5b2529be3b715cdf247bf3a0a1df31f1585b54042120b5
                                        • Instruction Fuzzy Hash: 0621E27190011A96CB14FBA2DC96DEEBB7CAE50319B40053FF506B31D2EF789946C6D8
                                        Function 0040C6F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040C561: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0040C727
                                        • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C792
                                        Strings
                                        • User Data\Profile ?\Network\Cookies, xrefs: 0040C73F
                                        • User Data\Default\Network\Cookies, xrefs: 0040C70D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExistsFilePath
                                        • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                        • API String ID: 1174141254-1980882731
                                        • Opcode ID: 48aa145b66dc80a11566b4620fdd9ce13eae5fb2ee34664654c02424daf75182
                                        • Instruction ID: 531025beeaae0c5c42121d483a56170e39db3028f8febaf9efde6b64dfa31b71
                                        • Opcode Fuzzy Hash: 48aa145b66dc80a11566b4620fdd9ce13eae5fb2ee34664654c02424daf75182
                                        • Instruction Fuzzy Hash: 4821127190011A96CB04F7A2DC96CEEBB78AE50359B40013FF506B31D2EF789946C6D8
                                        Function 0040B19F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                        • wsprintfW.USER32 ref: 0040B22E
                                          • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: EventLocalTimewsprintf
                                        • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                                        • API String ID: 1497725170-1359877963
                                        • Opcode ID: a3905fbfc43fac7a56565b143f4cb0e617564af9bef08e2450f5cad6a16d512e
                                        • Instruction ID: 4bcbbea8953a56f0834a7592719eb704c83d71ae81c48fe005db4fd1b538d991
                                        • Opcode Fuzzy Hash: a3905fbfc43fac7a56565b143f4cb0e617564af9bef08e2450f5cad6a16d512e
                                        • Instruction Fuzzy Hash: 88114272404118AACB19AB96EC55CFE77BCEE48315B00012FF506A61D1FF7C5A45C6AD
                                        Function 0040AF29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                          • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                          • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040AFA9
                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040AFB5
                                        • CreateThread.KERNEL32(00000000,00000000,0040A2D0,?,00000000,00000000), ref: 0040AFC1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateThread$LocalTime$wsprintf
                                        • String ID: Online Keylogger Started
                                        • API String ID: 112202259-1258561607
                                        • Opcode ID: 0fcd38e96aacb40c04b118771990cdae8bba74e61c9056a984dbcae37755a7c2
                                        • Instruction ID: 1fd114496b08e8c1d91a2f23279a740fccf8855fe00c80ef0b78f2cd7c44f0e8
                                        • Opcode Fuzzy Hash: 0fcd38e96aacb40c04b118771990cdae8bba74e61c9056a984dbcae37755a7c2
                                        • Instruction Fuzzy Hash: 2A01C4A07003193EE62076368C8BDBF7A6DCA91398F4004BFF641362C2E97D1C1586FA
                                        Function 00406A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406ABD
                                        • GetProcAddress.KERNEL32(00000000), ref: 00406AC4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: CryptUnprotectData$crypt32
                                        • API String ID: 2574300362-2380590389
                                        • Opcode ID: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                        • Instruction ID: 59ed3cbb63f31e38ea488d6bd85f24bb9ff1ce5495ed4d1509158228521d53cd
                                        • Opcode Fuzzy Hash: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                        • Instruction Fuzzy Hash: 2C01B975604216BBCB18CFAD9D449AF7BB4AB45300B00417EE956E3381DA74E9008B95
                                        Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                        • CloseHandle.KERNEL32(?), ref: 004051CA
                                        • SetEvent.KERNEL32(?), ref: 004051D9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEventHandleObjectSingleWait
                                        • String ID: Connection Timeout
                                        • API String ID: 2055531096-499159329
                                        • Opcode ID: cfa6aba80e3ab73a333b17ef678a4c224e2718187884c1035a1560e2fee3ab95
                                        • Instruction ID: b176daa04f7f78a72cd0d213bf0bcd41e0e3849ccec9e2477ca34bbc74fb9340
                                        • Opcode Fuzzy Hash: cfa6aba80e3ab73a333b17ef678a4c224e2718187884c1035a1560e2fee3ab95
                                        • Instruction Fuzzy Hash: C901F530940F00AFD7216B368D8642BBFE0EF00306704093EE68356AE2D6789800CF89
                                        Function 0040E800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                        Download Yara Rule
                                        APIs
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Exception@8Throw
                                        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                        • API String ID: 2005118841-1866435925
                                        • Opcode ID: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                        • Instruction ID: 287a1f786264602a2f100ba68ee8cd07dacd1bfc9ef62352ff5e55a88b78f620
                                        • Opcode Fuzzy Hash: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                        • Instruction Fuzzy Hash: 59018F626583087AEB14B697CC03FBA33685B10708F10CC3BBD01765C2EA7D6A61C66F
                                        Function 0041384F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegCreateKeyW.ADVAPI32(80000001,00000000,004752D8), ref: 0041385A
                                        • RegSetValueExW.ADVAPI32(004752D8,?,00000000,00000001,00000000,00000000,004752F0,?,0040F85E,pth_unenc,004752D8), ref: 00413888
                                        • RegCloseKey.ADVAPI32(004752D8,?,0040F85E,pth_unenc,004752D8), ref: 00413893
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseCreateValue
                                        • String ID: pth_unenc
                                        • API String ID: 1818849710-4028850238
                                        • Opcode ID: d69e82d7a202b39eabff8c6d6945ecb801863ff8e3666436e459375cd1f846cd
                                        • Instruction ID: 9133f253890910ff78e8f434c24b82038cc7026402723a24ca4ec17c3e6d8cb5
                                        • Opcode Fuzzy Hash: d69e82d7a202b39eabff8c6d6945ecb801863ff8e3666436e459375cd1f846cd
                                        • Instruction Fuzzy Hash: 15F0C271440218FBCF00AFA1EC45FEE376CEF00756F10452AF905A61A1E7759E04DA94
                                        Function 0040DFE1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFEC
                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040E02B
                                          • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 004356EC
                                          • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 00435710
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E051
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                        • String ID: bad locale name
                                        • API String ID: 3628047217-1405518554
                                        • Opcode ID: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                        • Instruction ID: 7f9ccd90240ef42149755af47b5df127ed13e8783c268b42739d505c0e35a915
                                        • Opcode Fuzzy Hash: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                        • Instruction Fuzzy Hash: 77F08131544A085AC338FA62D863DDA73B49F14358F50457FB406268D2EF78BA0CCA9D
                                        Function 00416C68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00416C82
                                        • ShowWindow.USER32(00000009), ref: 00416C9C
                                        • SetForegroundWindow.USER32 ref: 00416CA8
                                          • Part of subcall function 0041CE2C: AllocConsole.KERNEL32(`#l), ref: 0041CE35
                                          • Part of subcall function 0041CE2C: GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                          • Part of subcall function 0041CE2C: ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                          • Part of subcall function 0041CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                                        • String ID: !D@
                                        • API String ID: 186401046-604454484
                                        • Opcode ID: dddbeebbe8cb821cdc8b1c7d2847af7eb141aaddcd72dd608c7fa4ca11ce81ef
                                        • Instruction ID: 9f5213224becab59645eda34593d96b16d6ada18beeab21aaf628210512d7754
                                        • Opcode Fuzzy Hash: dddbeebbe8cb821cdc8b1c7d2847af7eb141aaddcd72dd608c7fa4ca11ce81ef
                                        • Instruction Fuzzy Hash: ECF05E70149340EAD720AB62ED45AFA7B69EB54341F01487BF909C20F2DB389C94865E
                                        Function 00416129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                        Download Yara Rule
                                        APIs
                                        • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041616B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExecuteShell
                                        • String ID: /C $cmd.exe$open
                                        • API String ID: 587946157-3896048727
                                        • Opcode ID: 16ef31fdaf301ba362d07f058173c5de43aaddf50e1ff7222e4b3bcda840a0cd
                                        • Instruction ID: 08f4dee505367bf09000beb2be63de5ecd082ae46aa0e0363999309db21c3e05
                                        • Opcode Fuzzy Hash: 16ef31fdaf301ba362d07f058173c5de43aaddf50e1ff7222e4b3bcda840a0cd
                                        • Instruction Fuzzy Hash: 5EE0C0B0204305ABC605F675DC96CBF73ADAA94749B50483F7142A20E2EF7C9D49C65D
                                        Function 0040B8A4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8B1
                                        • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8DC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: DeleteDirectoryFileRemove
                                        • String ID: pth_unenc$xdF
                                        • API String ID: 3325800564-2448381268
                                        • Opcode ID: d40ba35bdc574994431a00040681681ffd5cebc2bb5ef4fca25f9a910d4daf75
                                        • Instruction ID: ee660421d7ec44f6c6eaad5e9e1fc6482a22fb53094cf60c5c3e5a772ac54322
                                        • Opcode Fuzzy Hash: d40ba35bdc574994431a00040681681ffd5cebc2bb5ef4fca25f9a910d4daf75
                                        • Instruction Fuzzy Hash: 5AE04F314006109BC610BB218854AD6335CAB04316F00497BE4A3A35A1DF38AC49D658
                                        Function 0040B8E7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                        • UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                        • TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: TerminateThread$HookUnhookWindows
                                        • String ID: pth_unenc
                                        • API String ID: 3123878439-4028850238
                                        • Opcode ID: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                        • Instruction ID: 372ac16de24f92ae7b862ff59389ff52a9cc8b3ac2037ffe6dc6d1e564519698
                                        • Opcode Fuzzy Hash: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                        • Instruction Fuzzy Hash: 71E01272204315EFD7201F909C888667AADEE1539632409BEF6C261BB6CB7D4C54C79D
                                        Function 0044A084 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __alldvrm$_strrchr
                                        • String ID:
                                        • API String ID: 1036877536-0
                                        • Opcode ID: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                        • Instruction ID: 8ce1af842cd152cb2b2428f5d584a25f6c9224aafe101b92c03b71ca88d34985
                                        • Opcode Fuzzy Hash: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                        • Instruction Fuzzy Hash: 87A156729846829FF721CF58C8817AEBBA5FF15314F2841AFE8859B381D27C8C51C75A
                                        Function 00456C9A Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                        • Instruction ID: 6f8591e81a910498abf0b0e408487d1c0faf04506bf4bd3dd9e850377c22d226
                                        • Opcode Fuzzy Hash: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                        • Instruction Fuzzy Hash: 34413931B00104AAEB207B7A9C4666F3AB5DF45735F570A1FFD28C7293DA7C481D426A
                                        Function 00442851 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                        • Instruction ID: b0a34e1ed6630e1fb57c9e62860a3601010315cd62f19612bff23542d182db60
                                        • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                        • Instruction Fuzzy Hash: 70412AB1600704BFE724AF79CD41B5EBBE8EB88714F10462FF145DB281E3B999058798
                                        Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                        • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00404DD2
                                        • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00404DDB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                        • String ID:
                                        • API String ID: 3360349984-0
                                        • Opcode ID: 9e0a8eaf4219b775e830663fcb54a959b6233ae16d1ef5de7dcca6256e783451
                                        • Instruction ID: 30d48123e17294c38ae6f490953f1b42a5ca81467cb0df1087f173bd09261e59
                                        • Opcode Fuzzy Hash: 9e0a8eaf4219b775e830663fcb54a959b6233ae16d1ef5de7dcca6256e783451
                                        • Instruction Fuzzy Hash: 684182B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                        Function 0040C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • [Cleared browsers logins and cookies.], xrefs: 0040C11F
                                        • Cleared browsers logins and cookies., xrefs: 0040C130
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Sleep
                                        • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                        • API String ID: 3472027048-1236744412
                                        • Opcode ID: 1d84a610968c0f989614364af8c032c8251bfa68e213ae620782c32fadd9a619
                                        • Instruction ID: 5a72b8a34604a64e244bad04561a930bad76f77e78bf22f3e088d6afb7384554
                                        • Opcode Fuzzy Hash: 1d84a610968c0f989614364af8c032c8251bfa68e213ae620782c32fadd9a619
                                        • Instruction Fuzzy Hash: A431A805648381EDD6116BF514967AB7B824A53748F0882BFB8C4373C3DA7A4808C79F
                                        Function 00412716 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00413733: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 0041374F
                                          • Part of subcall function 00413733: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                                          • Part of subcall function 00413733: RegCloseKey.ADVAPI32(00000000), ref: 00413773
                                        • Sleep.KERNEL32(00000BB8), ref: 004127B5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpenQuerySleepValue
                                        • String ID: `#l$exepath$xdF
                                        • API String ID: 4119054056-713248197
                                        • Opcode ID: 01bdf780ec6ac7598780d4fc060e49cfbed0a76d2458a37ef2a8bb80d49c98e5
                                        • Instruction ID: 51bf296395b05d3efeb7b41814c334b1d8e13e95dfba71b8de44539041ec8c28
                                        • Opcode Fuzzy Hash: 01bdf780ec6ac7598780d4fc060e49cfbed0a76d2458a37ef2a8bb80d49c98e5
                                        • Instruction Fuzzy Hash: 3521F4A1B003042BD604B6365D4AAAF724D8B80318F40897FBA56E72D3DFBC9D45826D
                                        Function 0040A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0041C5E2: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C5F2
                                          • Part of subcall function 0041C5E2: GetWindowTextLengthW.USER32(00000000), ref: 0041C5FB
                                          • Part of subcall function 0041C5E2: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C625
                                        • Sleep.KERNEL32(000001F4), ref: 0040A5AE
                                        • Sleep.KERNEL32(00000064), ref: 0040A638
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Window$SleepText$ForegroundLength
                                        • String ID: [ $ ]
                                        • API String ID: 3309952895-93608704
                                        • Opcode ID: f02f1a0373de4d905e268f57495fa08b349ea431ac4d969b5d726f466b44a1dd
                                        • Instruction ID: 6255842b65d5da3793f092b3f1447ea5db7efb23f61c0c2d19f8aa6a86066f85
                                        • Opcode Fuzzy Hash: f02f1a0373de4d905e268f57495fa08b349ea431ac4d969b5d726f466b44a1dd
                                        • Instruction Fuzzy Hash: CB119F315143006BC614BB26CC579AF77A8AB90348F40083FF552661E3EF79AE18869B
                                        Function 0041B890 Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: SystemTimes$Sleep__aulldiv
                                        • String ID:
                                        • API String ID: 188215759-0
                                        • Opcode ID: 32d4930cb2be9b30136c829dd369e4a23351f3455ccfda4be26c85d87a7cef4d
                                        • Instruction ID: 634937a4cd8d43e921f59083ecd148feda9109121ee8127270144c35be039893
                                        • Opcode Fuzzy Hash: 32d4930cb2be9b30136c829dd369e4a23351f3455ccfda4be26c85d87a7cef4d
                                        • Instruction Fuzzy Hash: D01133B35043456BC304EAB5CD85DEF779CEBC4358F040A3EF64982061EE29E94986A6
                                        Function 00443AD3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                        • Instruction ID: 2af8e1c260e5220142bf0b5f8a7e988c949d9a3a1697e0ff4d6bcf25ce69da1b
                                        • Opcode Fuzzy Hash: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                        • Instruction Fuzzy Hash: 7E01F2B26093557EFA202E786CC2F67630DCB51FBAB31033BB520612D2DB68DD40452C
                                        Function 00443B52 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                        • Instruction ID: 437de9af4247593539f95cdbb70b1dc5411192884b5f12beac7b10196549b189
                                        • Opcode Fuzzy Hash: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                        • Instruction Fuzzy Hash: CB01ADB26096527ABA202E796CC5E27634CDB42BBA335037BF821512E3DF68DE054169
                                        Function 004485E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue), ref: 00448618
                                        • GetLastError.KERNEL32(?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367), ref: 00448624
                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000), ref: 00448632
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LibraryLoad$ErrorLast
                                        • String ID:
                                        • API String ID: 3177248105-0
                                        • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                        • Instruction ID: 239c22332ac31c5199b3ba4764290be2907fca328f5d1df1ca03bb1201a614b6
                                        • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                        • Instruction Fuzzy Hash: D401FC32602322EBDB618A78EC4495F7758AF15BA2B22093AF909D3241DF24DC01C6EC
                                        Function 0041C516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C543
                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041C568
                                        • CloseHandle.KERNEL32(00000000), ref: 0041C576
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseCreateHandleReadSize
                                        • String ID:
                                        • API String ID: 3919263394-0
                                        • Opcode ID: ea631e93aeae4d86132659a3c821e70bd950fb822780c369254ddbb306c6d1ec
                                        • Instruction ID: 4673af35f3eeaf13de89ae80f5e83caf65f56e40ae5cb47f4621101913e6d1ef
                                        • Opcode Fuzzy Hash: ea631e93aeae4d86132659a3c821e70bd950fb822780c369254ddbb306c6d1ec
                                        • Instruction Fuzzy Hash: 50F0C2B1241318BFE6101B25ADC9EBB369DDB866A9F10063EF802A22D1DA698D055139
                                        Function 004398E3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ___BuildCatchObject.LIBVCRUNTIME ref: 004398FA
                                          • Part of subcall function 00439F32: ___AdjustPointer.LIBCMT ref: 00439F7C
                                        • _UnwindNestedFrames.LIBCMT ref: 00439911
                                        • ___FrameUnwindToState.LIBVCRUNTIME ref: 00439923
                                        • CallCatchBlock.LIBVCRUNTIME ref: 00439947
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                        • String ID:
                                        • API String ID: 2633735394-0
                                        • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                        • Instruction ID: 1eef882e9718bbd9a0ab38cd68ce054dbb3f9d4064fa539f417e17899f1f7293
                                        • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                        • Instruction Fuzzy Hash: 38010532000109BBCF125F56CC01EDA3BAAEF5C754F05901AF95865221C3BAE862ABA4
                                        Function 0041941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemMetrics.USER32(0000004C), ref: 0041942B
                                        • GetSystemMetrics.USER32(0000004D), ref: 00419431
                                        • GetSystemMetrics.USER32(0000004E), ref: 00419437
                                        • GetSystemMetrics.USER32(0000004F), ref: 0041943D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: MetricsSystem
                                        • String ID:
                                        • API String ID: 4116985748-0
                                        • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                        • Instruction ID: fd4820a3fb0c8fcfb80096478546269f04700e3de9cdf271d69d174aa35805c7
                                        • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                        • Instruction Fuzzy Hash: 3FF0A4B1B043155BD700EE758C51A6B6ADAEBD4364F10043FF60887281EFB8DC468B84
                                        Function 00438FB1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                        Download Yara Rule
                                        APIs
                                        • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438FB1
                                        • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438FB6
                                        • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438FBB
                                          • Part of subcall function 0043A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A4CB
                                        • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438FD0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                        • String ID:
                                        • API String ID: 1761009282-0
                                        • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                        • Instruction ID: 3a6c9073cd349407f79861cc5a63413a30b4b1af88e8d748f4708d1390bfb410
                                        • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                        • Instruction Fuzzy Hash: 8DC04C44080381552C50B6B2110B2AF83521C7E38CF9074DFBDD1579474D5D052F553F
                                        Function 00442CAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                        Download Yara Rule
                                        APIs
                                        • __startOneArgErrorHandling.LIBCMT ref: 00442D3D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorHandling__start
                                        • String ID: pow
                                        • API String ID: 3213639722-2276729525
                                        • Opcode ID: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                        • Instruction ID: 2abd0c7c8e13d4a8cd2c8141c546921d868ac315c0d238e81b652aa6ec7fde8b
                                        • Opcode Fuzzy Hash: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                        • Instruction Fuzzy Hash: 92515AE1E0460296FB167714CE4137B6794AB50741F70497BF0D6823EAEA7C8C859B4F
                                        Function 004187AA Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMON
                                        Download Yara Rule
                                        APIs
                                        • GdiplusStartup.GDIPLUS(00474ACC,?,00000000,00000000), ref: 004187FA
                                          • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                          • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: GdiplusStartupconnectsend
                                        • String ID: ,aF$NG
                                        • API String ID: 1957403310-2168067942
                                        • Opcode ID: 58f85970f1ba036b998a940dbcf5695eb429ab9dbe0addeb4128eb85be2fdd28
                                        • Instruction ID: 646e85ae029ebb21aec6d49858a727e037fa7bb3a6359959f193cd142bf324ca
                                        • Opcode Fuzzy Hash: 58f85970f1ba036b998a940dbcf5695eb429ab9dbe0addeb4128eb85be2fdd28
                                        • Instruction Fuzzy Hash: 8E41D4713042015BC208FB22D892ABF7396ABC0358F50493FF54A672D2EF7C5D4A869E
                                        Function 00418ACD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                        Download Yara Rule
                                        APIs
                                        • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418AF9
                                          • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                        • SHCreateMemStream.SHLWAPI(00000000), ref: 00418B46
                                          • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                          • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                        • String ID: image/jpeg
                                        • API String ID: 1291196975-3785015651
                                        • Opcode ID: 1a6cd23bb326207906ee55eab088e22a045b333238033622bcf03b289c973c7d
                                        • Instruction ID: 4d0b5c8bb5c89928ccad9adfa1773eea8e0f3015d74a4b244142dc53e7d0f70c
                                        • Opcode Fuzzy Hash: 1a6cd23bb326207906ee55eab088e22a045b333238033622bcf03b289c973c7d
                                        • Instruction Fuzzy Hash: B5316D71604300AFC301EF65C884DAFBBE9EF8A304F00496EF985A7251DB7999048BA6
                                        Function 00451BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451E12,?,00000050,?,?,?,?,?), ref: 00451C92
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: ACP$OCP
                                        • API String ID: 0-711371036
                                        • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                        • Instruction ID: 09b953eaa346ea86c897215e5a2a15a508f8bcb16f9b984b1dadcb699cf7d301
                                        • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                        • Instruction Fuzzy Hash: E821D862A80204A6DB36CF14C941BAB7266DB54B13F568426ED0AD7322F73BED45C35C
                                        Function 00418BCA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                        Download Yara Rule
                                        APIs
                                        • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418BE5
                                          • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                        • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00418C0A
                                          • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                          • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                        • String ID: image/png
                                        • API String ID: 1291196975-2966254431
                                        • Opcode ID: c053decb124affeca1ca8e7c910363171ca68cdd065e9a4048a61e85df625b55
                                        • Instruction ID: 3c300d9a249dbea914adbc87700f03e6b767f6cab6163cd9bde1f728fb98d86d
                                        • Opcode Fuzzy Hash: c053decb124affeca1ca8e7c910363171ca68cdd065e9a4048a61e85df625b55
                                        • Instruction Fuzzy Hash: ED219071204211AFC701AB61CC88CBFBBACEFCA754F10052EF54693261DB399955CBA6
                                        Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405030
                                          • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                        • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405087
                                        Strings
                                        • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LocalTime
                                        • String ID: KeepAlive | Enabled | Timeout:
                                        • API String ID: 481472006-1507639952
                                        • Opcode ID: 88bc6abef2036a94c41ea4afde5572064ad21bcafcbd622e37c2bb368cee5363
                                        • Instruction ID: e3b05ee6596aa2f5bef7afedc99ae4e94a3de8d8e2082a6dce2ef35069f0368d
                                        • Opcode Fuzzy Hash: 88bc6abef2036a94c41ea4afde5572064ad21bcafcbd622e37c2bb368cee5363
                                        • Instruction Fuzzy Hash: 8D2104719107806BD700B736980A76F7B64E751308F44097EE8491B2E2EB7D5A88CBEF
                                        Function 00416676 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Sleep.KERNEL32 ref: 0041667B
                                        • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166DD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: DownloadFileSleep
                                        • String ID: !D@
                                        • API String ID: 1931167962-604454484
                                        • Opcode ID: 05864501e3066f261fa3773e90e58814017deb9033068c5665e3f6f63e0eedc9
                                        • Instruction ID: 05e88009b36717a37a8ab5ea381c0ce1ab0270976c353b8abb87c8adb32aa340
                                        • Opcode Fuzzy Hash: 05864501e3066f261fa3773e90e58814017deb9033068c5665e3f6f63e0eedc9
                                        • Instruction Fuzzy Hash: F21142716083029AC614FF72D8969AE77A4AF50348F400C7FF546531E2EE3C9949C65A
                                        Function 0041B580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LocalTime
                                        • String ID: | $%02i:%02i:%02i:%03i
                                        • API String ID: 481472006-2430845779
                                        • Opcode ID: 52f1b42f153ed4b644b91f11fc4c23a59010ae0a013f6087acbd7f2f1f111652
                                        • Instruction ID: 036da7e0cd4114b6fa9428aab3af546923e8b827a5fb64715830670d2b1b9b5a
                                        • Opcode Fuzzy Hash: 52f1b42f153ed4b644b91f11fc4c23a59010ae0a013f6087acbd7f2f1f111652
                                        • Instruction Fuzzy Hash: 091190714082455AC304FB62D8519FFB3E9AB84348F50093FF88AA21E1EF3CDA45C69E
                                        Function 0041ADA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                        Download Yara Rule
                                        APIs
                                        • PathFileExistsW.SHLWAPI(00000000), ref: 0041ADCD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExistsFilePath
                                        • String ID: alarm.wav$hYG
                                        • API String ID: 1174141254-2782910960
                                        • Opcode ID: f7e91bfaf8b99ac86c10a1af32db07f645763c2e3290c42acfcbd5bd632e7d00
                                        • Instruction ID: 4122455f09fb97d0238bc6f6df8f07100adf7eded08faacdf9dae369850c3b42
                                        • Opcode Fuzzy Hash: f7e91bfaf8b99ac86c10a1af32db07f645763c2e3290c42acfcbd5bd632e7d00
                                        • Instruction Fuzzy Hash: 6401B57078831156CA04F77688166EE77959B80718F00847FF64A162E2EFBC9E59C6CF
                                        Function 0040B08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                          • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                          • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                        • CloseHandle.KERNEL32(?), ref: 0040B0EF
                                        • UnhookWindowsHookEx.USER32 ref: 0040B102
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                        • String ID: Online Keylogger Stopped
                                        • API String ID: 1623830855-1496645233
                                        • Opcode ID: 539f72ab5f86f5c342155b2b16da774537cba30e5d1a0a8ca2b311f7dcb13205
                                        • Instruction ID: 2c7fc3a8f12b1f8c565497f75251163d8124a4eac963031352a4caf2a1bdec21
                                        • Opcode Fuzzy Hash: 539f72ab5f86f5c342155b2b16da774537cba30e5d1a0a8ca2b311f7dcb13205
                                        • Instruction Fuzzy Hash: 6F01F530600610ABD7217B35C81B7BE7B729B41304F4004BFE982265C2EBB91856C7DE
                                        Function 0044F0F7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                          • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                          • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                          • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                        • _abort.LIBCMT ref: 0044F129
                                        • _free.LIBCMT ref: 0044F15D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast_abort_free
                                        • String ID: 2m
                                        • API String ID: 289325740-977460488
                                        • Opcode ID: 870bd59091670ef6f85687353f23d3fa7adaacf8e57ceb1d53a868e14bc6891b
                                        • Instruction ID: a8e40e627a719db10bf70d85eeadc0c4c2fb790701f4ec7f842983f146219858
                                        • Opcode Fuzzy Hash: 870bd59091670ef6f85687353f23d3fa7adaacf8e57ceb1d53a868e14bc6891b
                                        • Instruction Fuzzy Hash: 0501A1B1D01A21DBEB31AFA9D84265EB3A0BF04720B19012FE51463391CB386D46CBCE
                                        Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                        Download Yara Rule
                                        APIs
                                        • waveInPrepareHeader.WINMM(006CD4C8,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                                        • waveInAddBuffer.WINMM(006CD4C8,00000020,?,00000000,00401A15), ref: 0040185F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: wave$BufferHeaderPrepare
                                        • String ID: XMG
                                        • API String ID: 2315374483-813777761
                                        • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                        • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                        • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                        • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                        Function 0044382C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID: $G
                                        • API String ID: 269201875-4251033865
                                        • Opcode ID: 0435164efccf50aa8117c2daa51ec46fe1437c867187ee89b2aa6ea167946eb6
                                        • Instruction ID: 4a6f060c21597e0392f33703011e6e0157da39883ddad7ec559e06d861eb6f1f
                                        • Opcode Fuzzy Hash: 0435164efccf50aa8117c2daa51ec46fe1437c867187ee89b2aa6ea167946eb6
                                        • Instruction Fuzzy Hash: 64E0E532A0152014F6713A3B6D1665B45C68BC1B3AF22423FF425962C2DFAC8946516E
                                        Function 00448B66 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • IsValidLocale.KERNEL32(00000000,kKD,00000000,00000001,?,?,00444B6B,?,?,?,?,00000004), ref: 00448BB2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LocaleValid
                                        • String ID: IsValidLocaleName$kKD
                                        • API String ID: 1901932003-3269126172
                                        • Opcode ID: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                        • Instruction ID: c774fcfd7954269485cc3e12fd2bed3330e0a6a7af379781e67d062e13931268
                                        • Opcode Fuzzy Hash: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                        • Instruction Fuzzy Hash: 9BF05230A80708FBDB016B60DC06FAE7B54CB44B12F10007EFD046B291DE799E0091ED
                                        Function 0040C4FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                        Download Yara Rule
                                        APIs
                                        • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExistsFilePath
                                        • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                        • API String ID: 1174141254-4188645398
                                        • Opcode ID: 67a37633ad4a3934eb7a9710067efd7b2c9a9b469ed032209e18e61634ff2717
                                        • Instruction ID: 9b0ec594f197676e752fca63164bf20e3c748e9c9f1ad615e42e10c79405690b
                                        • Opcode Fuzzy Hash: 67a37633ad4a3934eb7a9710067efd7b2c9a9b469ed032209e18e61634ff2717
                                        • Instruction Fuzzy Hash: FEF05E30A00219A6CA04BBB69C478AF7B289910759B40017FBA01B21D3EE78994586DD
                                        Function 0040C561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                        Download Yara Rule
                                        APIs
                                        • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExistsFilePath
                                        • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                        • API String ID: 1174141254-2800177040
                                        • Opcode ID: 7414731bf553168197ebf71208b97339720711320eac3921dee6b082f9eb1638
                                        • Instruction ID: ebfb9b6c20c42028ef61fa2b9513503d2b9bf0243ac81fc6585c9643e3935da3
                                        • Opcode Fuzzy Hash: 7414731bf553168197ebf71208b97339720711320eac3921dee6b082f9eb1638
                                        • Instruction Fuzzy Hash: F1F05E70A0021AE6CA04BBB69C478EF7B2C9910755B40017BBA01721D3FE7CA94586ED
                                        Function 0040C5C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                        Download Yara Rule
                                        APIs
                                        • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5F7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExistsFilePath
                                        • String ID: AppData$\Opera Software\Opera Stable\
                                        • API String ID: 1174141254-1629609700
                                        • Opcode ID: 8000172e7e681251177a335894fd2e2a37e3823944c94c6a399ddcaad00f7658
                                        • Instruction ID: 695210f55460e2722832162fecb8267ed9c5d90cd61684e29202a639a57ef244
                                        • Opcode Fuzzy Hash: 8000172e7e681251177a335894fd2e2a37e3823944c94c6a399ddcaad00f7658
                                        • Instruction Fuzzy Hash: 38F05E30A00219D6CA14BBB69C478EF7B2C9950755F1005BBBA01B21D3EE789941C6ED
                                        Function 00443885 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID: $G
                                        • API String ID: 269201875-4251033865
                                        • Opcode ID: c3cbfa58486471b9b0b5450975d814376b4bfcef5d9edc52bbd6be3dc13577df
                                        • Instruction ID: 5d396c1abc39b18bdc3e623667384c8b5cce6391ee106473ff554fc58991571d
                                        • Opcode Fuzzy Hash: c3cbfa58486471b9b0b5450975d814376b4bfcef5d9edc52bbd6be3dc13577df
                                        • Instruction Fuzzy Hash: 7CE0E532A0652041F675763B2D05A5B47C55FC2B3AF22033BF028861C1DFEC494A606E
                                        Function 0040B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyState.USER32(00000011), ref: 0040B686
                                          • Part of subcall function 0040A41B: GetForegroundWindow.USER32(?,?,004750F0), ref: 0040A451
                                          • Part of subcall function 0040A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                          • Part of subcall function 0040A41B: GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                          • Part of subcall function 0040A41B: GetKeyState.USER32(00000010), ref: 0040A46E
                                          • Part of subcall function 0040A41B: GetKeyboardState.USER32(?,?,004750F0), ref: 0040A479
                                          • Part of subcall function 0040A41B: ToUnicodeEx.USER32(00475144,00000000,?,?,00000010,00000000,00000000), ref: 0040A49C
                                          • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                          • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                        • String ID: [AltL]$[AltR]
                                        • API String ID: 2738857842-2658077756
                                        • Opcode ID: 0f70a0069a612ae1fb5ede6b6ff70f96726a9fd1eec0d97551c5347f5f324e5e
                                        • Instruction ID: d407634c764e35d79823ffb94670adf82ecea3c262ef0a09b09082b5b6a355d5
                                        • Opcode Fuzzy Hash: 0f70a0069a612ae1fb5ede6b6ff70f96726a9fd1eec0d97551c5347f5f324e5e
                                        • Instruction Fuzzy Hash: B2E0652171032052C859363D592FABE2D11CB41B64B42097FF842AB7D6DABF4D5543CF
                                        Function 004161C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                        Download Yara Rule
                                        APIs
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161E3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExecuteShell
                                        • String ID: !D@$open
                                        • API String ID: 587946157-1586967515
                                        • Opcode ID: eb4567e96d42521689c96e83ef1aa2a6a7df05ac31277aa5078135f6cb8d6bca
                                        • Instruction ID: 3b2857edeaddefe186f4a0a52e989bb70d7a4cfa1db765b6d796ce97600c5b03
                                        • Opcode Fuzzy Hash: eb4567e96d42521689c96e83ef1aa2a6a7df05ac31277aa5078135f6cb8d6bca
                                        • Instruction Fuzzy Hash: 4AE012712483059AD214EA72DC92EFEB35CAB54755F404C3FF506524E2EF3C5C49C66A
                                        Function 0040B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyState.USER32(00000012), ref: 0040B6E0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: State
                                        • String ID: [CtrlL]$[CtrlR]
                                        • API String ID: 1649606143-2446555240
                                        • Opcode ID: 1d2d80fd5b8c20147d0c6ff4d402c2e3edc42c22dff79285f987829e6048126c
                                        • Instruction ID: b338140f060b4cc34328e336f8905ed3f99262ec5dadafe534bff25dd27afc5e
                                        • Opcode Fuzzy Hash: 1d2d80fd5b8c20147d0c6ff4d402c2e3edc42c22dff79285f987829e6048126c
                                        • Instruction Fuzzy Hash: CFE04F2160072052C5243A7D561A67A2911C7C2764F41057BE9826B7C6DABE891452DF
                                        Function 0040E7DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                        • __Init_thread_footer.LIBCMT ref: 00410F64
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Init_thread_footer__onexit
                                        • String ID: ,kG$0kG
                                        • API String ID: 1881088180-2015055088
                                        • Opcode ID: bf6eaf7ad603c651630b5b847c32adb66bdf614d62153d48efbad85f1494e607
                                        • Instruction ID: 52a075922dd803dc3791164d579436726ad124eb3de8ddc986de269a183bf650
                                        • Opcode Fuzzy Hash: bf6eaf7ad603c651630b5b847c32adb66bdf614d62153d48efbad85f1494e607
                                        • Instruction Fuzzy Hash: A8E0D8315149208EC514B729E542AC53395DB0E324B21907BF014D72D2CBAE78C28E5D
                                        Function 00413A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D17F,00000000,004752D8,004752F0,?,pth_unenc), ref: 00413A6C
                                        • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00413A80
                                        Strings
                                        • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A6A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: DeleteOpenValue
                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                        • API String ID: 2654517830-1051519024
                                        • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                        • Instruction ID: 8a242acd51d06e7ce72e997358fe7bb9804e2c240f13b939b69747d851efcbee
                                        • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                        • Instruction Fuzzy Hash: FFE0C231244208FBEF104FB1DD06FFA7B2CDB01F42F1006A9BA0692192C626CE049664
                                        Function 0041288B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                        • WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ObjectProcessSingleTerminateWait
                                        • String ID: pth_unenc
                                        • API String ID: 1872346434-4028850238
                                        • Opcode ID: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                                        • Instruction ID: 30425768eaae71e8f6d4d073063fb5581f05561c6d480f36d281b696a9d2b878
                                        • Opcode Fuzzy Hash: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                                        • Instruction Fuzzy Hash: DBD01234149312FFD7310F60EE4DB443B589705362F140361F439552F1C7A589D4AB58
                                        Function 0044F38A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CommandLine
                                        • String ID: 0&k
                                        • API String ID: 3253501508-3264481142
                                        • Opcode ID: 21ebb353eb9a5e230f63c7dd18cef58b922ecce08ae36afe23ca5bbaac6cd083
                                        • Instruction ID: 694146ce0b361bd31d1980ce40e18c0a636997d79f12e70286e675221abc8fda
                                        • Opcode Fuzzy Hash: 21ebb353eb9a5e230f63c7dd18cef58b922ecce08ae36afe23ca5bbaac6cd083
                                        • Instruction Fuzzy Hash: CBB04878800753CB97108F21AA0C0853FA0B30820238020B6940A92A21EB7885868A08
                                        Function 00440CE1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D77
                                        • GetLastError.KERNEL32 ref: 00440D85
                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440DE0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharMultiWide$ErrorLast
                                        • String ID:
                                        • API String ID: 1717984340-0
                                        • Opcode ID: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                        • Instruction ID: 51be13377619d21db21fabe69686c0ed70cae26876ac5a8e773c252addda8789
                                        • Opcode Fuzzy Hash: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                        • Instruction Fuzzy Hash: 2D412670A00212AFEF218FA5C8447BBBBA4EF41310F2045AAFA59573E1DB399C31C759
                                        Function 00411B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                        Download Yara Rule
                                        APIs
                                        • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411BC7
                                        • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411C93
                                        • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411CB5
                                        • SetLastError.KERNEL32(0000007E,00411F2B), ref: 00411CCC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.3857541707.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.3857521316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857578391.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857605042.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.3857640069.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_ZZ.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLastRead
                                        • String ID:
                                        • API String ID: 4100373531-0
                                        • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                        • Instruction ID: 65e884089caabfe283b2879acbb60db065d5dd9ad58be7743d127bf22715a70c
                                        • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                        • Instruction Fuzzy Hash: 60419D716443059FEB248F19DC84BA7B3E4FF44714F00082EEA4A876A1F738E845CB99