Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe

Overview

General Information

Sample name:17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe
Analysis ID:1519336
MD5:599d0aacc8a8b93e5aa5a2eae248cb01
SHA1:7c12c80ebd48295dd21ec15be849ca22015e7d08
SHA256:08d6f9ddd03aafd9ccc617f25af984cfe801206fc1c1b8e7a8cb6c66ea73cb2e
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Installs a global keyboard hook
Machine Learning detection for sample
Uses dynamic DNS services
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "23spt.duckdns.org:3000:0", "Assigned name": "Tost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-RZH5WZ", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
      17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6aab8:$a1: Remcos restarted by watchdog!
        • 0x6b030:$a3: %02i:%02i:%02i:%03i
        17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeREMCOS_RAT_variantsunknownunknown
        • 0x64b0c:$str_a1: C:\Windows\System32\cmd.exe
        • 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x64b7c:$str_b2: Executing file:
        • 0x65bfc:$str_b3: GetDirectListeningPort
        • 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x65728:$str_b7: \update.vbs
        • 0x64ba4:$str_b9: Downloaded file:
        • 0x64b90:$str_b10: Downloading file:
        • 0x64c34:$str_b12: Failed to upload file:
        • 0x65bc4:$str_b13: StartForward
        • 0x65be4:$str_b14: StopForward
        • 0x65680:$str_b15: fso.DeleteFile "
        • 0x65614:$str_b16: On Error Resume Next
        • 0x656b0:$str_b17: fso.DeleteFolder "
        • 0x64c24:$str_b18: Uploaded file:
        • 0x64be4:$str_b19: Unable to delete:
        • 0x65648:$str_b20: while fso.FileExists("
        • 0x650c1:$str_c0: [Firefox StoredLogins not found]
        Click to see the 1 entries

        Dropped Files

        SourceRuleDescriptionAuthorStrings
        C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000002.4139200887.00000000022FF000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
                00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x134b8:$a1: Remcos restarted by watchdog!
                  • 0x13a30:$a3: %02i:%02i:%02i:%03i
                  Click to see the 9 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  0.2.17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                    0.2.17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                      0.2.17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                        0.2.17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                        • 0x6aab8:$a1: Remcos restarted by watchdog!
                        • 0x6b030:$a3: %02i:%02i:%02i:%03i
                        0.2.17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                        • 0x64b0c:$str_a1: C:\Windows\System32\cmd.exe
                        • 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                        • 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                        • 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                        • 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                        • 0x64b7c:$str_b2: Executing file:
                        • 0x65bfc:$str_b3: GetDirectListeningPort
                        • 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                        • 0x65728:$str_b7: \update.vbs
                        • 0x64ba4:$str_b9: Downloaded file:
                        • 0x64b90:$str_b10: Downloading file:
                        • 0x64c34:$str_b12: Failed to upload file:
                        • 0x65bc4:$str_b13: StartForward
                        • 0x65be4:$str_b14: StopForward
                        • 0x65680:$str_b15: fso.DeleteFile "
                        • 0x65614:$str_b16: On Error Resume Next
                        • 0x656b0:$str_b17: fso.DeleteFolder "
                        • 0x64c24:$str_b18: Uploaded file:
                        • 0x64be4:$str_b19: Unable to delete:
                        • 0x65648:$str_b20: while fso.FileExists("
                        • 0x650c1:$str_c0: [Firefox StoredLogins not found]
                        Click to see the 7 entries

                        Sigma Signatures

                        Stealing of Sensitive Information

                        barindex
                        Sigma detected: Remcos
                        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe, ProcessId: 7256, TargetFilename: C:\ProgramData\remcos\logs.dat

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-09-26T11:34:14.966634+020020327761Malware Command and Control Activity Detected192.168.2.449730181.236.206.33000TCP
                        2024-09-26T11:34:17.605523+020020327761Malware Command and Control Activity Detected192.168.2.449731181.236.206.33000TCP
                        2024-09-26T11:34:20.246294+020020327761Malware Command and Control Activity Detected192.168.2.449732181.236.206.33000TCP
                        2024-09-26T11:34:22.887271+020020327761Malware Command and Control Activity Detected192.168.2.449733181.236.206.33000TCP
                        2024-09-26T11:34:25.528699+020020327761Malware Command and Control Activity Detected192.168.2.449735181.236.206.33000TCP
                        2024-09-26T11:34:28.168641+020020327761Malware Command and Control Activity Detected192.168.2.449740181.236.206.33000TCP
                        2024-09-26T11:34:30.853376+020020327761Malware Command and Control Activity Detected192.168.2.449742181.236.206.33000TCP
                        2024-09-26T11:34:33.465131+020020327761Malware Command and Control Activity Detected192.168.2.449743181.236.206.33000TCP
                        2024-09-26T11:34:36.215314+020020327761Malware Command and Control Activity Detected192.168.2.449744181.236.206.33000TCP
                        2024-09-26T11:34:38.887077+020020327761Malware Command and Control Activity Detected192.168.2.449745181.236.206.33000TCP
                        2024-09-26T11:34:41.529510+020020327761Malware Command and Control Activity Detected192.168.2.449746181.236.206.33000TCP
                        2024-09-26T11:34:44.183565+020020327761Malware Command and Control Activity Detected192.168.2.449747181.236.206.33000TCP
                        2024-09-26T11:34:46.825230+020020327761Malware Command and Control Activity Detected192.168.2.449748181.236.206.33000TCP
                        2024-09-26T11:34:49.434187+020020327761Malware Command and Control Activity Detected192.168.2.449749181.236.206.33000TCP
                        2024-09-26T11:34:52.074264+020020327761Malware Command and Control Activity Detected192.168.2.449750181.236.206.33000TCP
                        2024-09-26T11:34:54.731492+020020327761Malware Command and Control Activity Detected192.168.2.449751181.236.206.33000TCP
                        2024-09-26T11:34:57.376553+020020327761Malware Command and Control Activity Detected192.168.2.449752181.236.206.33000TCP
                        2024-09-26T11:34:59.998452+020020327761Malware Command and Control Activity Detected192.168.2.449753181.236.206.33000TCP
                        2024-09-26T11:35:02.642391+020020327761Malware Command and Control Activity Detected192.168.2.449754181.236.206.33000TCP
                        2024-09-26T11:35:05.277531+020020327761Malware Command and Control Activity Detected192.168.2.449756181.236.206.33000TCP
                        2024-09-26T11:35:08.011808+020020327761Malware Command and Control Activity Detected192.168.2.449757181.236.206.33000TCP
                        2024-09-26T11:35:11.246515+020020327761Malware Command and Control Activity Detected192.168.2.449758181.236.206.33000TCP
                        2024-09-26T11:35:13.973222+020020327761Malware Command and Control Activity Detected192.168.2.449759181.236.206.33000TCP
                        2024-09-26T11:35:17.470094+020020327761Malware Command and Control Activity Detected192.168.2.449760181.236.206.33000TCP
                        2024-09-26T11:35:20.106062+020020327761Malware Command and Control Activity Detected192.168.2.449761181.236.206.33000TCP
                        2024-09-26T11:35:22.746258+020020327761Malware Command and Control Activity Detected192.168.2.449762181.236.206.33000TCP
                        2024-09-26T11:35:25.361791+020020327761Malware Command and Control Activity Detected192.168.2.449763181.236.206.33000TCP
                        2024-09-26T11:35:28.074218+020020327761Malware Command and Control Activity Detected192.168.2.449764181.236.206.33000TCP
                        2024-09-26T11:35:30.714866+020020327761Malware Command and Control Activity Detected192.168.2.449765181.236.206.33000TCP
                        2024-09-26T11:35:33.363018+020020327761Malware Command and Control Activity Detected192.168.2.449766181.236.206.33000TCP
                        2024-09-26T11:35:36.016164+020020327761Malware Command and Control Activity Detected192.168.2.449767181.236.206.33000TCP
                        2024-09-26T11:35:38.683185+020020327761Malware Command and Control Activity Detected192.168.2.449768181.236.206.33000TCP
                        2024-09-26T11:35:41.271211+020020327761Malware Command and Control Activity Detected192.168.2.449769181.236.206.33000TCP
                        2024-09-26T11:35:43.880176+020020327761Malware Command and Control Activity Detected192.168.2.449770181.236.206.33000TCP
                        2024-09-26T11:35:46.420661+020020327761Malware Command and Control Activity Detected192.168.2.449771181.236.206.33000TCP
                        2024-09-26T11:35:48.936643+020020327761Malware Command and Control Activity Detected192.168.2.449772181.236.206.33000TCP
                        2024-09-26T11:35:51.449369+020020327761Malware Command and Control Activity Detected192.168.2.449773181.236.206.33000TCP
                        2024-09-26T11:35:53.927683+020020327761Malware Command and Control Activity Detected192.168.2.449774181.236.206.33000TCP
                        2024-09-26T11:35:56.376073+020020327761Malware Command and Control Activity Detected192.168.2.449775181.236.206.33000TCP
                        2024-09-26T11:35:58.810119+020020327761Malware Command and Control Activity Detected192.168.2.449776181.236.206.33000TCP
                        2024-09-26T11:36:01.169383+020020327761Malware Command and Control Activity Detected192.168.2.449777181.236.206.33000TCP
                        2024-09-26T11:36:03.529990+020020327761Malware Command and Control Activity Detected192.168.2.449778181.236.206.33000TCP
                        2024-09-26T11:36:05.886904+020020327761Malware Command and Control Activity Detected192.168.2.449779181.236.206.33000TCP
                        2024-09-26T11:36:08.199280+020020327761Malware Command and Control Activity Detected192.168.2.449780181.236.206.33000TCP
                        2024-09-26T11:36:10.466817+020020327761Malware Command and Control Activity Detected192.168.2.449781181.236.206.33000TCP
                        2024-09-26T11:36:12.730824+020020327761Malware Command and Control Activity Detected192.168.2.449782181.236.206.33000TCP
                        2024-09-26T11:36:14.997248+020020327761Malware Command and Control Activity Detected192.168.2.449783181.236.206.33000TCP
                        2024-09-26T11:36:18.135052+020020327761Malware Command and Control Activity Detected192.168.2.449784191.93.114.273000TCP
                        2024-09-26T11:36:20.355733+020020327761Malware Command and Control Activity Detected192.168.2.449785191.93.114.273000TCP
                        2024-09-26T11:36:22.590615+020020327761Malware Command and Control Activity Detected192.168.2.449786191.93.114.273000TCP
                        2024-09-26T11:36:24.868199+020020327761Malware Command and Control Activity Detected192.168.2.449787191.93.114.273000TCP
                        2024-09-26T11:36:27.028077+020020327761Malware Command and Control Activity Detected192.168.2.449788191.93.114.273000TCP
                        2024-09-26T11:36:29.214817+020020327761Malware Command and Control Activity Detected192.168.2.449789191.93.114.273000TCP
                        2024-09-26T11:36:31.360193+020020327761Malware Command and Control Activity Detected192.168.2.449790191.93.114.273000TCP
                        2024-09-26T11:36:33.482182+020020327761Malware Command and Control Activity Detected192.168.2.449791191.93.114.273000TCP
                        2024-09-26T11:36:35.684583+020020327761Malware Command and Control Activity Detected192.168.2.449792191.93.114.273000TCP
                        2024-09-26T11:36:37.796192+020020327761Malware Command and Control Activity Detected192.168.2.449793191.93.114.273000TCP
                        2024-09-26T11:36:39.856114+020020327761Malware Command and Control Activity Detected192.168.2.449794191.93.114.273000TCP
                        2024-09-26T11:36:41.933843+020020327761Malware Command and Control Activity Detected192.168.2.449795191.93.114.273000TCP
                        2024-09-26T11:36:43.968198+020020327761Malware Command and Control Activity Detected192.168.2.449796191.93.114.273000TCP
                        2024-09-26T11:36:45.999181+020020327761Malware Command and Control Activity Detected192.168.2.449797191.93.114.273000TCP
                        2024-09-26T11:36:48.032294+020020327761Malware Command and Control Activity Detected192.168.2.449798191.93.114.273000TCP
                        2024-09-26T11:36:50.028017+020020327761Malware Command and Control Activity Detected192.168.2.449799191.93.114.273000TCP
                        2024-09-26T11:36:52.107221+020020327761Malware Command and Control Activity Detected192.168.2.449800191.93.114.273000TCP
                        2024-09-26T11:36:54.107981+020020327761Malware Command and Control Activity Detected192.168.2.449801191.93.114.273000TCP
                        2024-09-26T11:36:56.279657+020020327761Malware Command and Control Activity Detected192.168.2.449802191.93.114.273000TCP
                        2024-09-26T11:36:58.262233+020020327761Malware Command and Control Activity Detected192.168.2.449803191.93.114.273000TCP
                        2024-09-26T11:37:00.207690+020020327761Malware Command and Control Activity Detected192.168.2.449804191.93.114.273000TCP
                        2024-09-26T11:37:02.160296+020020327761Malware Command and Control Activity Detected192.168.2.449805191.93.114.273000TCP
                        2024-09-26T11:37:04.080145+020020327761Malware Command and Control Activity Detected192.168.2.449806191.93.114.273000TCP
                        2024-09-26T11:37:06.121388+020020327761Malware Command and Control Activity Detected192.168.2.449807191.93.114.273000TCP
                        2024-09-26T11:37:08.029964+020020327761Malware Command and Control Activity Detected192.168.2.449808191.93.114.273000TCP
                        2024-09-26T11:37:09.965029+020020327761Malware Command and Control Activity Detected192.168.2.449809191.93.114.273000TCP
                        2024-09-26T11:37:11.875095+020020327761Malware Command and Control Activity Detected192.168.2.449810191.93.114.273000TCP
                        2024-09-26T11:37:13.746061+020020327761Malware Command and Control Activity Detected192.168.2.449811191.93.114.273000TCP
                        2024-09-26T11:37:15.638813+020020327761Malware Command and Control Activity Detected192.168.2.449812191.93.114.273000TCP
                        2024-09-26T11:37:17.775051+020020327761Malware Command and Control Activity Detected192.168.2.449813191.93.114.273000TCP
                        2024-09-26T11:37:21.334645+020020327761Malware Command and Control Activity Detected192.168.2.449814181.236.206.33000TCP
                        2024-09-26T11:37:23.172226+020020327761Malware Command and Control Activity Detected192.168.2.449815181.236.206.33000TCP
                        2024-09-26T11:37:25.027572+020020327761Malware Command and Control Activity Detected192.168.2.449816181.236.206.33000TCP
                        2024-09-26T11:37:26.856213+020020327761Malware Command and Control Activity Detected192.168.2.449817181.236.206.33000TCP
                        2024-09-26T11:37:28.841243+020020327761Malware Command and Control Activity Detected192.168.2.449818181.236.206.33000TCP
                        2024-09-26T11:37:30.857044+020020327761Malware Command and Control Activity Detected192.168.2.449819181.236.206.33000TCP
                        2024-09-26T11:37:32.668308+020020327761Malware Command and Control Activity Detected192.168.2.449820181.236.206.33000TCP
                        2024-09-26T11:37:35.380231+020020327761Malware Command and Control Activity Detected192.168.2.449821181.236.206.33000TCP
                        2024-09-26T11:37:37.153102+020020327761Malware Command and Control Activity Detected192.168.2.449822181.236.206.33000TCP
                        2024-09-26T11:37:38.919346+020020327761Malware Command and Control Activity Detected192.168.2.449823181.236.206.33000TCP
                        2024-09-26T11:37:40.699560+020020327761Malware Command and Control Activity Detected192.168.2.449824181.236.206.33000TCP
                        2024-09-26T11:37:42.559613+020020327761Malware Command and Control Activity Detected192.168.2.449825181.236.206.33000TCP
                        2024-09-26T11:37:44.342305+020020327761Malware Command and Control Activity Detected192.168.2.449826181.236.206.33000TCP
                        2024-09-26T11:37:46.121468+020020327761Malware Command and Control Activity Detected192.168.2.449827181.236.206.33000TCP
                        2024-09-26T11:37:47.872234+020020327761Malware Command and Control Activity Detected192.168.2.449828181.236.206.33000TCP
                        2024-09-26T11:37:49.652941+020020327761Malware Command and Control Activity Detected192.168.2.449829181.236.206.33000TCP
                        2024-09-26T11:37:51.433662+020020327761Malware Command and Control Activity Detected192.168.2.449830181.236.206.33000TCP
                        2024-09-26T11:37:53.200243+020020327761Malware Command and Control Activity Detected192.168.2.449831181.236.206.33000TCP
                        2024-09-26T11:37:54.936305+020020327761Malware Command and Control Activity Detected192.168.2.449832181.236.206.33000TCP
                        2024-09-26T11:37:56.668145+020020327761Malware Command and Control Activity Detected192.168.2.449833181.236.206.33000TCP
                        2024-09-26T11:37:58.449505+020020327761Malware Command and Control Activity Detected192.168.2.449834181.236.206.33000TCP
                        2024-09-26T11:38:00.199428+020020327761Malware Command and Control Activity Detected192.168.2.449835181.236.206.33000TCP
                        2024-09-26T11:38:01.933692+020020327761Malware Command and Control Activity Detected192.168.2.449836181.236.206.33000TCP
                        2024-09-26T11:38:03.762359+020020327761Malware Command and Control Activity Detected192.168.2.449837181.236.206.33000TCP
                        2024-09-26T11:38:05.499044+020020327761Malware Command and Control Activity Detected192.168.2.449838181.236.206.33000TCP
                        2024-09-26T11:38:07.232660+020020327761Malware Command and Control Activity Detected192.168.2.449839181.236.206.33000TCP
                        2024-09-26T11:38:08.993541+020020327761Malware Command and Control Activity Detected192.168.2.449840181.236.206.33000TCP
                        2024-09-26T11:38:10.809690+020020327761Malware Command and Control Activity Detected192.168.2.449841181.236.206.33000TCP
                        2024-09-26T11:38:12.528220+020020327761Malware Command and Control Activity Detected192.168.2.449842181.236.206.33000TCP
                        2024-09-26T11:38:14.264371+020020327761Malware Command and Control Activity Detected192.168.2.449843181.236.206.33000TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeAvira: detected
                        Found malware configuration
                        Source: 00000000.00000002.4139021655.000000000078E000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "23spt.duckdns.org:3000:0", "Assigned name": "Tost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-RZH5WZ", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                        Multi AV Scanner detection for submitted file
                        Source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeReversingLabs: Detection: 84%
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4139200887.00000000022FF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1678896409.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4139021655.000000000078E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe PID: 7256, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
                        Machine Learning detection for sample
                        Source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_004338C8
                        Source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe, 00000000.00000000.1678896409.0000000000459000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_541d8380-a

                        Exploits

                        barindex
                        Yara detected UAC Bypass using CMSTP
                        Source: Yara matchFile source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1678896409.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe PID: 7256, type: MEMORYSTR

                        Privilege Escalation

                        barindex
                        Contains functionality to bypass UAC (CMSTPLUA)
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_00407538 _wcslen,CoGetObject,0_2_00407538
                        Source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_0040928E
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0041C322
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0040C388
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_004096A0
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_00408847
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_00407877 FindFirstFileW,FindNextFileW,0_2_00407877
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040BB6B
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419B86
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040BD72
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407CD2

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49730 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49735 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49731 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49740 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49733 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49732 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49745 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49748 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49742 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49753 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49758 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49750 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49744 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49746 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49768 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49759 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49743 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49760 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49763 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49754 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49762 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49777 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49773 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49770 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49800 -> 191.93.114.27:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49772 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49776 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49761 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49797 -> 191.93.114.27:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49765 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49809 -> 191.93.114.27:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49806 -> 191.93.114.27:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49774 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49780 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49810 -> 191.93.114.27:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49801 -> 191.93.114.27:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49778 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49769 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49832 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49789 -> 191.93.114.27:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49829 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49813 -> 191.93.114.27:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49818 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49838 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49812 -> 191.93.114.27:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49834 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49791 -> 191.93.114.27:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49798 -> 191.93.114.27:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49775 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49784 -> 191.93.114.27:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49790 -> 191.93.114.27:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49786 -> 191.93.114.27:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49788 -> 191.93.114.27:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49805 -> 191.93.114.27:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49785 -> 191.93.114.27:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49823 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49815 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49831 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49771 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49819 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49830 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49821 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49794 -> 191.93.114.27:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49783 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49826 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49839 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49843 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49803 -> 191.93.114.27:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49836 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49779 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49767 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49820 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49766 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49828 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49792 -> 191.93.114.27:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49835 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49840 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49822 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49749 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49827 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49787 -> 191.93.114.27:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49782 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49793 -> 191.93.114.27:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49795 -> 191.93.114.27:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49814 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49756 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49804 -> 191.93.114.27:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49816 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49825 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49796 -> 191.93.114.27:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49802 -> 191.93.114.27:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49841 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49817 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49824 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49757 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49764 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49842 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49833 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49799 -> 191.93.114.27:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49808 -> 191.93.114.27:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49781 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49837 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49807 -> 191.93.114.27:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49811 -> 191.93.114.27:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49747 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49751 -> 181.236.206.3:3000
                        Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49752 -> 181.236.206.3:3000
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: 23spt.duckdns.org
                        Uses dynamic DNS services
                        Source: unknownDNS query: name: 23spt.duckdns.org
                        Source: global trafficTCP traffic: 192.168.2.4:49730 -> 181.236.206.3:3000
                        Source: global trafficTCP traffic: 192.168.2.4:49784 -> 191.93.114.27:3000
                        Source: Joe Sandbox ViewASN Name: ColombiaMovilCO ColombiaMovilCO
                        Source: Joe Sandbox ViewASN Name: TELEBUCARAMANGASAESPCO TELEBUCARAMANGASAESPCO
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_00404B96 WaitForSingleObject,SetEvent,recv,0_2_00404B96
                        Source: global trafficDNS traffic detected: DNS query: 23spt.duckdns.org
                        Source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeString found in binary or memory: http://geoplugin.net/json.gp
                        Source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeString found in binary or memory: http://geoplugin.net/json.gp/C

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Contains functionality to register a low level keyboard hook
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,000000000_2_0040A2F3
                        Installs a global keyboard hook
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeJump to behavior
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B749
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004168FC
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B749
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,0_2_0040A41B
                        Source: Yara matchFile source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1678896409.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe PID: 7256, type: MEMORYSTR

                        E-Banking Fraud

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4139200887.00000000022FF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1678896409.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4139021655.000000000078E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe PID: 7256, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                        Spam, unwanted Advertisements and Ransom Demands

                        barindex
                        Contains functionalty to change the wallpaper
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0041CA6D SystemParametersInfoW,0_2_0041CA6D
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0041CA73 SystemParametersInfoW,0_2_0041CA73

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 0.2.17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 0.2.17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 0.2.17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 0.0.17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 0.0.17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 0.0.17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 00000000.00000000.1678896409.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: Process Memory Space: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe PID: 7256, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeProcess Stats: CPU usage > 49%
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,0_2_0041330D
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle,0_2_0041BBC6
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle,0_2_0041BB9A
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_004167EF
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0043706A0_2_0043706A
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_004140050_2_00414005
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0043E11C0_2_0043E11C
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_004541D90_2_004541D9
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_004381E80_2_004381E8
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0041F18B0_2_0041F18B
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_004462700_2_00446270
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0043E34B0_2_0043E34B
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_004533AB0_2_004533AB
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0042742E0_2_0042742E
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_004375660_2_00437566
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0043E5A80_2_0043E5A8
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_004387F00_2_004387F0
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0043797E0_2_0043797E
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_004339D70_2_004339D7
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0044DA490_2_0044DA49
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_00427AD70_2_00427AD7
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0041DBF30_2_0041DBF3
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_00427C400_2_00427C40
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_00437DB30_2_00437DB3
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_00435EEB0_2_00435EEB
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0043DEED0_2_0043DEED
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_00426E9F0_2_00426E9F
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: String function: 00402093 appears 50 times
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: String function: 00401E65 appears 35 times
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: String function: 00434E70 appears 54 times
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: String function: 00434801 appears 42 times
                        Source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 0.2.17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 0.2.17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 0.2.17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 0.0.17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 0.0.17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 0.0.17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 00000000.00000000.1678896409.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: Process Memory Space: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe PID: 7256, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@1/1@10/2
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_0041798D
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_0040F4AF
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource,0_2_0041B539
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AADB
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-RZH5WZ
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: Software\0_2_0040EA00
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: Rmc-RZH5WZ0_2_0040EA00
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: Exe0_2_0040EA00
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: Exe0_2_0040EA00
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: Rmc-RZH5WZ0_2_0040EA00
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: ,aF0_2_0040EA00
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: Inj0_2_0040EA00
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: Inj0_2_0040EA00
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: h&y0_2_0040EA00
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: h&y0_2_0040EA00
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: h&y0_2_0040EA00
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: xKy0_2_0040EA00
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: h&y0_2_0040EA00
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: exepath0_2_0040EA00
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: ,aF0_2_0040EA00
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: xKy0_2_0040EA00
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: exepath0_2_0040EA00
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: h&y0_2_0040EA00
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: licence0_2_0040EA00
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: dMG0_2_0040EA00
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: PG0_2_0040EA00
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: PSG0_2_0040EA00
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: Administrator0_2_0040EA00
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: User0_2_0040EA00
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: del0_2_0040EA00
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: del0_2_0040EA00
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCommand line argument: del0_2_0040EA00
                        Source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeReversingLabs: Detection: 84%
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeSection loaded: rstrtmgr.dllJump to behavior
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                        Source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                        Source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                        Source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                        Source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                        Source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                        Source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                        Source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                        Source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                        Source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CBE1
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_00457186 push ecx; ret 0_2_00457199
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0041C7F3 push eax; retf 0_2_0041C7FD
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_00457AA8 push eax; ret 0_2_00457AC6
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_00434EB6 push ecx; ret 0_2_00434EC9
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_00406EEB ShellExecuteW,URLDownloadToFileW,0_2_00406EEB
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AADB
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CBE1
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Delayed program exit found
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0040F7E2 Sleep,ExitProcess,0_2_0040F7E2
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_0041A7D9
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeWindow / User API: threadDelayed 1756Jump to behavior
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeWindow / User API: threadDelayed 7744Jump to behavior
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeWindow / User API: foregroundWindowGot 1752Jump to behavior
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe TID: 7280Thread sleep count: 201 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe TID: 7280Thread sleep time: -100500s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe TID: 7284Thread sleep count: 1756 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe TID: 7284Thread sleep time: -5268000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe TID: 7284Thread sleep count: 7744 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe TID: 7284Thread sleep time: -23232000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_0040928E
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0041C322
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0040C388
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_004096A0
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_00408847
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_00407877 FindFirstFileW,FindNextFileW,0_2_00407877
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040BB6B
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419B86
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040BD72
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407CD2
                        Source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe, 00000000.00000002.4139021655.000000000078E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZ
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeAPI call chain: ExitProcess graph end nodegraph_0-48206
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00434A8A
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CBE1
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_00443355 mov eax, dword ptr fs:[00000030h]0_2_00443355
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_004120B2 GetProcessHeap,HeapFree,0_2_004120B2
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0043503C
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00434A8A
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043BB71
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_00434BD8 SetUnhandledExceptionFilter,0_2_00434BD8
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe0_2_00412132
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_00419662 mouse_event,0_2_00419662
                        Source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe, 00000000.00000002.4139021655.000000000078E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                        Source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe, 00000000.00000002.4139021655.000000000078E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerWZ\3000
                        Source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe, 00000000.00000002.4139021655.000000000078E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerWZ\
                        Source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe, 00000000.00000002.4139021655.000000000078E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager$1
                        Source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe, 00000000.00000002.4139021655.000000000078E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerckets\
                        Source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe, 00000000.00000002.4139021655.000000000078E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerdns.org:3000J
                        Source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe, 00000000.00000002.4139021655.000000000078E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                        Source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe, 00000000.00000002.4139021655.000000000078E000.00000004.00000020.00020000.00000000.sdmp, logs.dat.0.drBinary or memory string: [Program Manager]
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_00434CB6 cpuid 0_2_00434CB6
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: GetLocaleInfoA,0_2_0040F90C
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_0045201B
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_004520B6
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00452143
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: GetLocaleInfoW,0_2_00452393
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00448484
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004524BC
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: GetLocaleInfoW,0_2_004525C3
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00452690
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: GetLocaleInfoW,0_2_0044896D
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00451D58
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00451FD0
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_00404F51 GetLocalTime,CreateEventA,CreateThread,0_2_00404F51
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0041B69E GetComputerNameExW,GetUserNameW,0_2_0041B69E
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: 0_2_0044942D _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_0044942D

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4139200887.00000000022FF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1678896409.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4139021655.000000000078E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe PID: 7256, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        Contains functionality to steal Chrome passwords or cookies
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_0040BA4D
                        Contains functionality to steal Firefox passwords or cookies
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_0040BB6B
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: \key3.db0_2_0040BB6B

                        Remote Access Functionality

                        barindex
                        Detected Remcos RAT
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-RZH5WZJump to behavior
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4139200887.00000000022FF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1678896409.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4139021655.000000000078E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe PID: 7256, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        Source: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exeCode function: cmd.exe0_2_0040569A

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                        Native API                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		1
                        Deobfuscate/Decode Files or Information                        		1
                        OS Credential Dumping                        		2
                        System Time Discovery                        		Remote Services11
                        Archive Collected Data                        		11
                        Ingress Tool Transfer                        		Exfiltration Over Other Network Medium1
                        System Shutdown/Reboot
                        CredentialsDomainsDefault Accounts12
                        Command and Scripting Interpreter                        		1
                        Windows Service                        		1
                        Bypass User Account Control                        		2
                        Obfuscated Files or Information                        		211
                        Input Capture                        		1
                        Account Discovery                        		Remote Desktop Protocol211
                        Input Capture                        		2
                        Encrypted Channel                        		Exfiltration Over Bluetooth1
                        Defacement
                        Email AddressesDNS ServerDomain Accounts2
                        Service Execution                        		Logon Script (Windows)1
                        Access Token Manipulation                        		1
                        DLL Side-Loading                        		2
                        Credentials In Files                        		1
                        System Service Discovery                        		SMB/Windows Admin Shares3
                        Clipboard Data                        		1
                        Non-Standard Port                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                        Windows Service                        		1
                        Bypass User Account Control                        		NTDS2
                        File and Directory Discovery                        		Distributed Component Object ModelInput Capture1
                        Remote Access Software                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
                        Process Injection                        		1
                        Virtualization/Sandbox Evasion                        		LSA Secrets22
                        System Information Discovery                        		SSHKeylogging1
                        Non-Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        Access Token Manipulation                        		Cached Domain Credentials21
                        Security Software Discovery                        		VNCGUI Input Capture21
                        Application Layer Protocol                        		Data Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                        Process Injection                        		DCSync1
                        Virtualization/Sandbox Evasion                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem2
                        Process Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                        Application Window Discovery                        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                        System Owner/User Discovery                        		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe84%ReversingLabsWin32.Backdoor.Remcos
                        17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe100%AviraBDS/Backdoor.Gen
                        17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe100%Joe Sandbox ML

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://geoplugin.net/json.gp0%URL Reputationsafe
                        http://geoplugin.net/json.gp/C0%URL Reputationsafe
                        23spt.duckdns.org0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        23spt.duckdns.org
                        		181.236.206.3
                        		truetrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          23spt.duckdns.orgtrue
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://geoplugin.net/json.gp17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exefalse
                          • URL Reputation: safe
                          		unknown
                          http://geoplugin.net/json.gp/C17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exefalse
                          • URL Reputation: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          191.93.114.27
                          		unknownColombia
                          		27831ColombiaMovilCOtrue
                          181.236.206.3
                          		23spt.duckdns.orgColombia
                          		22368TELEBUCARAMANGASAESPCOtrue

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1519336
                          Start date and time:2024-09-26 11:33:16 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 6m 21s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:5
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe
                          Detection:MAL
                          Classification:mal100.rans.troj.spyw.expl.evad.winEXE@1/1@10/2
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 36
                          • Number of non-executed functions: 212
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Override analysis time to 240s for sample files taking high CPU consumption

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • VT rate limit hit for: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          05:34:39API Interceptor7223011x Sleep call for process: 17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          191.93.114.27asegurar.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                            asegurar.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                              181.236.206.3sostener.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                                asegurar.vbsGet hashmaliciousRemcos, PureLog StealerBrowse

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  23spt.duckdns.orgasegurar.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                                  • 181.236.206.3

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  ColombiaMovilCOasegurar.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                                  • 191.93.114.27
                                  UvrMJYKtES.exeGet hashmaliciousSmokeLoaderBrowse
                                  • 181.204.98.226
                                  SecuriteInfo.com.Linux.Siggen.9999.31454.15725.elfGet hashmaliciousUnknownBrowse
                                  • 181.204.131.195
                                  asegurar.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                                  • 191.93.114.27
                                  OcH6iVxcMe.exeGet hashmaliciousSmokeLoaderBrowse
                                  • 181.204.98.226
                                  jade.arm6.elfGet hashmaliciousMiraiBrowse
                                  • 179.14.232.191
                                  z000023947538734 FAC-ELECTRONICAPDF.exeGet hashmaliciousRemcosBrowse
                                  • 179.14.11.136
                                  DOCUMENTO_GENERAL_ADJUNTADO_2024.EXE.exeGet hashmaliciousRemcosBrowse
                                  • 179.14.10.124
                                  SecuriteInfo.com.Linux.Siggen.9999.15962.9862.elfGet hashmaliciousMiraiBrowse
                                  • 191.88.143.180
                                  SecuriteInfo.com.Linux.Siggen.9999.8352.26322.elfGet hashmaliciousMiraiBrowse
                                  • 181.207.212.175
                                  TELEBUCARAMANGASAESPCOsostener.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                                  • 181.236.206.3
                                  asegurar.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                                  • 181.236.206.3
                                  kz7iLmqRuq.exeGet hashmaliciousQuasarBrowse
                                  • 201.221.134.74
                                  bVMuPnsMIq.elfGet hashmaliciousMiraiBrowse
                                  • 190.96.128.60
                                  YfM6hAPQaS.elfGet hashmaliciousMiraiBrowse
                                  • 190.96.128.48
                                  arm7.elfGet hashmaliciousMiraiBrowse
                                  • 190.96.128.56
                                  2YEUP84vcy.elfGet hashmaliciousMiraiBrowse
                                  • 190.13.19.189
                                  4eGsl7kZ8Y.elfGet hashmaliciousMiraiBrowse
                                  • 190.13.25.73
                                  MGmADocDSa.elfGet hashmaliciousMiraiBrowse
                                  • 170.80.8.38
                                  zEtEDBaBLY.elfGet hashmaliciousMiraiBrowse
                                  • 190.96.128.97

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\ProgramData\remcos\logs.dat

                                  Download File
                                  Process:C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):224
                                  Entropy (8bit):3.428233152047627
                                  Encrypted:false
                                  SSDEEP:3:rhlKlRlrPleWlDfwFi5JWRal2Jl+7R0DAlBG45klovDl65lQWluEkiEW/ufWPlgl:6loWR4c5YcIeeDAlOWA7DxbN2fBMMm0v
                                  MD5:AFB2B1FE1477DC7FAE9ADEB82755B1DD
                                  SHA1:1767B2E4D5242E44CC91314358929C2C6ECEB39F
                                  SHA-256:C26C16EA19407EFB650D45FA468F3086AEA98D468C36C37EA602C8ED1BD61232
                                  SHA-512:0C2B6247525BC2F3C6AAC16CF495C2ED1A3BAE03B83C1062B2B77EF5888700BEC34706AC7452CA5BD6D2C5FCE7C48937BE1C31C4F71CB8D42F8ECB65CEF585EE
                                  Malicious:true
                                  Yara Hits:
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                  Reputation:low
                                  Preview:....[.2.0.2.4./.0.9./.2.6. .0.5.:.3.4.:.0.7. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........{. .U.s.e.r. .h.a.s. .b.e.e.n. .i.d.l.e. .f.o.r. .0. .m.i.n.u.t.e.s. .}.....

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):6.59908775684029
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe
                                  File size:494'080 bytes
                                  MD5:599d0aacc8a8b93e5aa5a2eae248cb01
                                  SHA1:7c12c80ebd48295dd21ec15be849ca22015e7d08
                                  SHA256:08d6f9ddd03aafd9ccc617f25af984cfe801206fc1c1b8e7a8cb6c66ea73cb2e
                                  SHA512:ee83365b54c8ea5a011734cecfec202df1a786ebaec98af977670d235b7cc7d3c7e38f2994e7e3daaa1167d309a41df84bff28495d07c23ca1a97077ce790feb
                                  SSDEEP:6144:7Tz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZmAX4creT4:7TlrYw1RUh3NFn+N5WfIQIjbs/ZmtT4
                                  TLSH:C0B49E01BAD2C072D57514300D3AF776EAB8BD201835497B73EA1D5BFE31190A72AAB7
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.-H..~H..~H..~..'~[..~..%~...~..$~V..~AbR~I..~...~J..~.D..R..~.D..r..~.D..j..~AbE~Q..~H..~v..~.D..,..~.D)~I..~.D..I..~RichH..

                                  File Icon

                                  Icon Hash:95694d05214c1b33

                                  Static PE Info

                                  General

                                  Entrypoint:0x434a80
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:TERMINAL_SERVER_AWARE
                                  Time Stamp:0x66D71DE3 [Tue Sep 3 14:32:03 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:5
                                  OS Version Minor:1
                                  File Version Major:5
                                  File Version Minor:1
                                  Subsystem Version Major:5
                                  Subsystem Version Minor:1
                                  Import Hash:1389569a3a39186f3eb453b501cfe688

                                  Entrypoint Preview

                                  Instruction
                                  call 00007FE628E8FC1Bh
                                  jmp 00007FE628E8F663h
                                  push ebp
                                  mov ebp, esp
                                  sub esp, 00000324h
                                  push ebx
                                  push esi
                                  push 00000017h
                                  call 00007FE628EB1EB3h
                                  test eax, eax
                                  je 00007FE628E8F7D7h
                                  mov ecx, dword ptr [ebp+08h]
                                  int 29h
                                  xor esi, esi
                                  lea eax, dword ptr [ebp-00000324h]
                                  push 000002CCh
                                  push esi
                                  push eax
                                  mov dword ptr [00471D14h], esi
                                  call 00007FE628E91C26h
                                  add esp, 0Ch
                                  mov dword ptr [ebp-00000274h], eax
                                  mov dword ptr [ebp-00000278h], ecx
                                  mov dword ptr [ebp-0000027Ch], edx
                                  mov dword ptr [ebp-00000280h], ebx
                                  mov dword ptr [ebp-00000284h], esi
                                  mov dword ptr [ebp-00000288h], edi
                                  mov word ptr [ebp-0000025Ch], ss
                                  mov word ptr [ebp-00000268h], cs
                                  mov word ptr [ebp-0000028Ch], ds
                                  mov word ptr [ebp-00000290h], es
                                  mov word ptr [ebp-00000294h], fs
                                  mov word ptr [ebp-00000298h], gs
                                  pushfd
                                  pop dword ptr [ebp-00000264h]
                                  mov eax, dword ptr [ebp+04h]
                                  mov dword ptr [ebp-0000026Ch], eax
                                  lea eax, dword ptr [ebp+04h]
                                  mov dword ptr [ebp-00000260h], eax
                                  mov dword ptr [ebp-00000324h], 00010001h
                                  mov eax, dword ptr [eax-04h]
                                  push 00000050h
                                  mov dword ptr [ebp-00000270h], eax
                                  lea eax, dword ptr [ebp-58h]
                                  push esi
                                  push eax
                                  call 00007FE628E91B9Dh

                                  Rich Headers

                                  Programming Language:
                                  • [C++] VS2008 SP1 build 30729
                                  • [IMP] VS2008 SP1 build 30729

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x6eeb80x104.rdata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x790000x48fc.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x7e0000x3bc8.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x6d3500x38.rdata
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x6d3e40x18.rdata
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6d3880x40.rdata
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x590000x500.rdata
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x10000x571f50x57200e504ab64b98631753dc227346d757c52False0.5716379348995696data6.6273936921798455IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rdata0x590000x179dc0x17a002a24a2cbf738bf5f992a0162fad3d464False0.5008577215608465data5.862074061245876IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .data0x710000x5d440xe000eaccffe1cb836994ce5d3ccfb22d4f9False0.22126116071428573data3.0035180736120775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .tls0x770000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .gfids0x780000x2300x4009ca325bce9f8c0342c0381814603584aFalse0.330078125data2.3999762503719224IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .rsrc0x790000x48fc0x4a001933540138be6a4699001c45f533e76cFalse0.2582347972972973data3.826527380540655IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x7e0000x3bc80x3c00047d13d1dd0f82094cdf10f08253441eFalse0.7640625data6.723768218094163IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_ICON0x7918c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3421985815602837
                                  RT_ICON0x795f40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.27704918032786885
                                  RT_ICON0x79f7c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.23686679174484052
                                  RT_ICON0x7b0240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.22977178423236513
                                  RT_RCDATA0x7d5cc0x2eedata1.0146666666666666
                                  RT_GROUP_ICON0x7d8bc0x3edataEnglishUnited States0.8064516129032258

                                  Imports

                                  DLLImport
                                  KERNEL32.dllFindNextFileA, ExpandEnvironmentStringsA, GetLongPathNameW, CopyFileW, GetLocaleInfoA, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, OpenMutexA, lstrcatW, GetCurrentProcessId, GetTempFileNameW, UnmapViewOfFile, DuplicateHandle, CreateFileMappingW, MapViewOfFile, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, FindFirstFileA, FormatMessageA, FindNextVolumeW, AllocConsole, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, HeapReAlloc, GetACP, GetModuleHandleExW, MoveFileExW, RtlUnwind, RaiseException, LoadLibraryExW, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, GetFileSize, TerminateThread, GetLastError, CreateDirectoryW, GetModuleHandleA, RemoveDirectoryW, MoveFileW, SetFilePointerEx, GetLogicalDriveStringsA, DeleteFileW, DeleteFileA, SetFileAttributesW, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, GetModuleHandleW, ExitProcess, CreateMutexA, GetCurrentProcess, GetProcAddress, LoadLibraryA, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, SetConsoleOutputCP, InitializeCriticalSectionAndSpinCount, MultiByteToWideChar, DecodePointer, EncodePointer, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, WaitForSingleObjectEx, ResetEvent, SetEndOfFile
                                  USER32.dllGetMessageA, GetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, DispatchMessageA, SetForegroundWindow, SetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible, CloseWindow, SendInput, EnumDisplaySettingsW, mouse_event, CreatePopupMenu, TranslateMessage, TrackPopupMenu, DefWindowProcA, CreateWindowExA, AppendMenuA, GetSystemMetrics, RegisterClassExA, GetCursorPos, SystemParametersInfoW, GetWindowThreadProcessId, MapVirtualKeyA, DrawIcon, GetIconInfo
                                  GDI32.dllBitBlt, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteObject, CreateDCA, GetObjectA, DeleteDC
                                  ADVAPI32.dllCryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW, RegDeleteKeyA
                                  SHELL32.dllShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW
                                  ole32.dllCoInitializeEx, CoUninitialize, CoGetObject
                                  SHLWAPI.dllPathFileExistsW, PathFileExistsA, StrToIntA
                                  WINMM.dllwaveInOpen, waveInStart, waveInAddBuffer, PlaySoundW, mciSendStringA, mciSendStringW, waveInClose, waveInStop, waveInPrepareHeader, waveInUnprepareHeader
                                  WS2_32.dllgethostbyname, send, WSAStartup, closesocket, inet_ntoa, htons, htonl, getservbyname, ntohs, getservbyport, gethostbyaddr, inet_addr, WSASetLastError, WSAGetLastError, recv, connect, socket
                                  urlmon.dllURLOpenBlockingStreamW, URLDownloadToFileW
                                  gdiplus.dllGdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipAlloc, GdipCloneImage, GdipGetImageEncoders, GdiplusStartup, GdipLoadImageFromStream
                                  WININET.dllInternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  EnglishUnited States

                                  Network Behavior

                                  Suricata IDS Alerts

                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                  2024-09-26T11:34:14.966634+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449730181.236.206.33000TCP
                                  2024-09-26T11:34:17.605523+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449731181.236.206.33000TCP
                                  2024-09-26T11:34:20.246294+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449732181.236.206.33000TCP
                                  2024-09-26T11:34:22.887271+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449733181.236.206.33000TCP
                                  2024-09-26T11:34:25.528699+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449735181.236.206.33000TCP
                                  2024-09-26T11:34:28.168641+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449740181.236.206.33000TCP
                                  2024-09-26T11:34:30.853376+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449742181.236.206.33000TCP
                                  2024-09-26T11:34:33.465131+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449743181.236.206.33000TCP
                                  2024-09-26T11:34:36.215314+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449744181.236.206.33000TCP
                                  2024-09-26T11:34:38.887077+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449745181.236.206.33000TCP
                                  2024-09-26T11:34:41.529510+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449746181.236.206.33000TCP
                                  2024-09-26T11:34:44.183565+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449747181.236.206.33000TCP
                                  2024-09-26T11:34:46.825230+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449748181.236.206.33000TCP
                                  2024-09-26T11:34:49.434187+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449749181.236.206.33000TCP
                                  2024-09-26T11:34:52.074264+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449750181.236.206.33000TCP
                                  2024-09-26T11:34:54.731492+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449751181.236.206.33000TCP
                                  2024-09-26T11:34:57.376553+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449752181.236.206.33000TCP
                                  2024-09-26T11:34:59.998452+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449753181.236.206.33000TCP
                                  2024-09-26T11:35:02.642391+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449754181.236.206.33000TCP
                                  2024-09-26T11:35:05.277531+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449756181.236.206.33000TCP
                                  2024-09-26T11:35:08.011808+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449757181.236.206.33000TCP
                                  2024-09-26T11:35:11.246515+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449758181.236.206.33000TCP
                                  2024-09-26T11:35:13.973222+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449759181.236.206.33000TCP
                                  2024-09-26T11:35:17.470094+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449760181.236.206.33000TCP
                                  2024-09-26T11:35:20.106062+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449761181.236.206.33000TCP
                                  2024-09-26T11:35:22.746258+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449762181.236.206.33000TCP
                                  2024-09-26T11:35:25.361791+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449763181.236.206.33000TCP
                                  2024-09-26T11:35:28.074218+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449764181.236.206.33000TCP
                                  2024-09-26T11:35:30.714866+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449765181.236.206.33000TCP
                                  2024-09-26T11:35:33.363018+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449766181.236.206.33000TCP
                                  2024-09-26T11:35:36.016164+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449767181.236.206.33000TCP
                                  2024-09-26T11:35:38.683185+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449768181.236.206.33000TCP
                                  2024-09-26T11:35:41.271211+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449769181.236.206.33000TCP
                                  2024-09-26T11:35:43.880176+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449770181.236.206.33000TCP
                                  2024-09-26T11:35:46.420661+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449771181.236.206.33000TCP
                                  2024-09-26T11:35:48.936643+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449772181.236.206.33000TCP
                                  2024-09-26T11:35:51.449369+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449773181.236.206.33000TCP
                                  2024-09-26T11:35:53.927683+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449774181.236.206.33000TCP
                                  2024-09-26T11:35:56.376073+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449775181.236.206.33000TCP
                                  2024-09-26T11:35:58.810119+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449776181.236.206.33000TCP
                                  2024-09-26T11:36:01.169383+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449777181.236.206.33000TCP
                                  2024-09-26T11:36:03.529990+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449778181.236.206.33000TCP
                                  2024-09-26T11:36:05.886904+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449779181.236.206.33000TCP
                                  2024-09-26T11:36:08.199280+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449780181.236.206.33000TCP
                                  2024-09-26T11:36:10.466817+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449781181.236.206.33000TCP
                                  2024-09-26T11:36:12.730824+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449782181.236.206.33000TCP
                                  2024-09-26T11:36:14.997248+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449783181.236.206.33000TCP
                                  2024-09-26T11:36:18.135052+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449784191.93.114.273000TCP
                                  2024-09-26T11:36:20.355733+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449785191.93.114.273000TCP
                                  2024-09-26T11:36:22.590615+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449786191.93.114.273000TCP
                                  2024-09-26T11:36:24.868199+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449787191.93.114.273000TCP
                                  2024-09-26T11:36:27.028077+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449788191.93.114.273000TCP
                                  2024-09-26T11:36:29.214817+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449789191.93.114.273000TCP
                                  2024-09-26T11:36:31.360193+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449790191.93.114.273000TCP
                                  2024-09-26T11:36:33.482182+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449791191.93.114.273000TCP
                                  2024-09-26T11:36:35.684583+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449792191.93.114.273000TCP
                                  2024-09-26T11:36:37.796192+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449793191.93.114.273000TCP
                                  2024-09-26T11:36:39.856114+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449794191.93.114.273000TCP
                                  2024-09-26T11:36:41.933843+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449795191.93.114.273000TCP
                                  2024-09-26T11:36:43.968198+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449796191.93.114.273000TCP
                                  2024-09-26T11:36:45.999181+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449797191.93.114.273000TCP
                                  2024-09-26T11:36:48.032294+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449798191.93.114.273000TCP
                                  2024-09-26T11:36:50.028017+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449799191.93.114.273000TCP
                                  2024-09-26T11:36:52.107221+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449800191.93.114.273000TCP
                                  2024-09-26T11:36:54.107981+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449801191.93.114.273000TCP
                                  2024-09-26T11:36:56.279657+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449802191.93.114.273000TCP
                                  2024-09-26T11:36:58.262233+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449803191.93.114.273000TCP
                                  2024-09-26T11:37:00.207690+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449804191.93.114.273000TCP
                                  2024-09-26T11:37:02.160296+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449805191.93.114.273000TCP
                                  2024-09-26T11:37:04.080145+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449806191.93.114.273000TCP
                                  2024-09-26T11:37:06.121388+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449807191.93.114.273000TCP
                                  2024-09-26T11:37:08.029964+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449808191.93.114.273000TCP
                                  2024-09-26T11:37:09.965029+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449809191.93.114.273000TCP
                                  2024-09-26T11:37:11.875095+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449810191.93.114.273000TCP
                                  2024-09-26T11:37:13.746061+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449811191.93.114.273000TCP
                                  2024-09-26T11:37:15.638813+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449812191.93.114.273000TCP
                                  2024-09-26T11:37:17.775051+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449813191.93.114.273000TCP
                                  2024-09-26T11:37:21.334645+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449814181.236.206.33000TCP
                                  2024-09-26T11:37:23.172226+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449815181.236.206.33000TCP
                                  2024-09-26T11:37:25.027572+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449816181.236.206.33000TCP
                                  2024-09-26T11:37:26.856213+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449817181.236.206.33000TCP
                                  2024-09-26T11:37:28.841243+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449818181.236.206.33000TCP
                                  2024-09-26T11:37:30.857044+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449819181.236.206.33000TCP
                                  2024-09-26T11:37:32.668308+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449820181.236.206.33000TCP
                                  2024-09-26T11:37:35.380231+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449821181.236.206.33000TCP
                                  2024-09-26T11:37:37.153102+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449822181.236.206.33000TCP
                                  2024-09-26T11:37:38.919346+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449823181.236.206.33000TCP
                                  2024-09-26T11:37:40.699560+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449824181.236.206.33000TCP
                                  2024-09-26T11:37:42.559613+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449825181.236.206.33000TCP
                                  2024-09-26T11:37:44.342305+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449826181.236.206.33000TCP
                                  2024-09-26T11:37:46.121468+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449827181.236.206.33000TCP
                                  2024-09-26T11:37:47.872234+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449828181.236.206.33000TCP
                                  2024-09-26T11:37:49.652941+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449829181.236.206.33000TCP
                                  2024-09-26T11:37:51.433662+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449830181.236.206.33000TCP
                                  2024-09-26T11:37:53.200243+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449831181.236.206.33000TCP
                                  2024-09-26T11:37:54.936305+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449832181.236.206.33000TCP
                                  2024-09-26T11:37:56.668145+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449833181.236.206.33000TCP
                                  2024-09-26T11:37:58.449505+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449834181.236.206.33000TCP
                                  2024-09-26T11:38:00.199428+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449835181.236.206.33000TCP
                                  2024-09-26T11:38:01.933692+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449836181.236.206.33000TCP
                                  2024-09-26T11:38:03.762359+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449837181.236.206.33000TCP
                                  2024-09-26T11:38:05.499044+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449838181.236.206.33000TCP
                                  2024-09-26T11:38:07.232660+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449839181.236.206.33000TCP
                                  2024-09-26T11:38:08.993541+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449840181.236.206.33000TCP
                                  2024-09-26T11:38:10.809690+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449841181.236.206.33000TCP
                                  2024-09-26T11:38:12.528220+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449842181.236.206.33000TCP
                                  2024-09-26T11:38:14.264371+02002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449843181.236.206.33000TCP

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Sep 26, 2024 11:34:14.960455894 CEST497303000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:14.965312004 CEST300049730181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:14.965475082 CEST497303000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:14.966634035 CEST497303000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:14.971440077 CEST300049730181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:16.591768980 CEST300049730181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:16.591867924 CEST497303000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:16.592015982 CEST497303000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:16.596858978 CEST300049730181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:17.600114107 CEST497313000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:17.605010033 CEST300049731181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:17.605103970 CEST497313000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:17.605523109 CEST497313000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:17.610306978 CEST300049731181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:19.233093023 CEST300049731181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:19.233259916 CEST497313000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:19.233330011 CEST497313000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:19.238130093 CEST300049731181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:20.240905046 CEST497323000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:20.245744944 CEST300049732181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:20.245873928 CEST497323000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:20.246294022 CEST497323000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:20.251087904 CEST300049732181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:21.866481066 CEST300049732181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:21.866636992 CEST497323000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:21.866905928 CEST497323000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:21.871691942 CEST300049732181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:22.881759882 CEST497333000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:22.886590958 CEST300049733181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:22.886687040 CEST497333000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:22.887270927 CEST497333000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:22.892085075 CEST300049733181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:24.519906998 CEST300049733181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:24.519989014 CEST497333000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:24.520087004 CEST497333000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:24.525121927 CEST300049733181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:25.523211956 CEST497353000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:25.528215885 CEST300049735181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:25.528285027 CEST497353000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:25.528698921 CEST497353000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:25.533509970 CEST300049735181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:27.150520086 CEST300049735181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:27.153629065 CEST497353000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:27.153666973 CEST497353000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:27.158587933 CEST300049735181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:28.163084984 CEST497403000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:28.167953014 CEST300049740181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:28.168193102 CEST497403000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:28.168641090 CEST497403000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:28.173414946 CEST300049740181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:29.818305016 CEST300049740181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:29.818476915 CEST497403000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:29.818999052 CEST497403000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:29.825009108 CEST300049740181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:30.845211983 CEST497423000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:30.849991083 CEST300049742181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:30.850147963 CEST497423000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:30.853375912 CEST497423000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:30.858202934 CEST300049742181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:32.445630074 CEST300049742181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:32.445688009 CEST497423000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:32.445754051 CEST497423000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:32.450558901 CEST300049742181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:33.459656954 CEST497433000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:33.464644909 CEST300049743181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:33.464721918 CEST497433000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:33.465131044 CEST497433000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:33.469935894 CEST300049743181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:35.197722912 CEST300049743181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:35.197841883 CEST497433000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:35.197946072 CEST497433000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:35.202935934 CEST300049743181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:36.209693909 CEST497443000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:36.214677095 CEST300049744181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:36.214775085 CEST497443000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:36.215313911 CEST497443000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:36.220312119 CEST300049744181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:37.869363070 CEST300049744181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:37.869575977 CEST497443000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:37.869575977 CEST497443000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:37.874666929 CEST300049744181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:38.881506920 CEST497453000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:38.886575937 CEST300049745181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:38.886668921 CEST497453000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:38.887077093 CEST497453000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:38.891874075 CEST300049745181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:40.507780075 CEST300049745181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:40.507905960 CEST497453000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:40.507942915 CEST497453000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:40.512955904 CEST300049745181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:41.523585081 CEST497463000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:41.528995037 CEST300049746181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:41.529089928 CEST497463000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:41.529510021 CEST497463000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:41.534797907 CEST300049746181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:43.176325083 CEST300049746181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:43.176415920 CEST497463000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:43.176490068 CEST497463000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:43.181333065 CEST300049746181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:44.178234100 CEST497473000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:44.183108091 CEST300049747181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:44.183218956 CEST497473000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:44.183564901 CEST497473000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:44.188383102 CEST300049747181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:45.809950113 CEST300049747181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:45.810105085 CEST497473000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:45.810197115 CEST497473000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:45.814992905 CEST300049747181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:46.819462061 CEST497483000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:46.824489117 CEST300049748181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:46.824666977 CEST497483000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:46.825229883 CEST497483000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:46.830121994 CEST300049748181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:48.414165974 CEST300049748181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:48.414347887 CEST497483000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:48.414505959 CEST497483000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:48.419338942 CEST300049748181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:49.428442955 CEST497493000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:49.433650017 CEST300049749181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:49.433727980 CEST497493000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:49.434186935 CEST497493000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:49.439047098 CEST300049749181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:51.065531015 CEST300049749181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:51.065685987 CEST497493000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:51.065768003 CEST497493000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:51.070611000 CEST300049749181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:52.068826914 CEST497503000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:52.073756933 CEST300049750181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:52.073857069 CEST497503000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:52.074264050 CEST497503000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:52.079113960 CEST300049750181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:53.718772888 CEST300049750181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:53.719000101 CEST497503000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:53.719315052 CEST497503000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:53.724122047 CEST300049750181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:54.725395918 CEST497513000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:54.730665922 CEST300049751181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:54.730938911 CEST497513000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:54.731492043 CEST497513000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:54.736335039 CEST300049751181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:56.354341030 CEST300049751181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:56.354492903 CEST497513000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:56.354587078 CEST497513000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:56.360219955 CEST300049751181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:57.371131897 CEST497523000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:57.375930071 CEST300049752181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:57.376024961 CEST497523000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:57.376553059 CEST497523000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:57.381465912 CEST300049752181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:58.975166082 CEST300049752181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:58.975235939 CEST497523000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:58.975333929 CEST497523000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:58.980032921 CEST300049752181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:59.991983891 CEST497533000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:59.997225046 CEST300049753181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:34:59.997359037 CEST497533000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:34:59.998451948 CEST497533000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:00.003281116 CEST300049753181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:01.619740009 CEST300049753181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:01.619813919 CEST497533000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:01.619858027 CEST497533000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:01.626647949 CEST300049753181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:02.633526087 CEST497543000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:02.641372919 CEST300049754181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:02.641535997 CEST497543000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:02.642390966 CEST497543000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:02.650154114 CEST300049754181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:04.260303020 CEST300049754181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:04.260420084 CEST497543000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:04.260468006 CEST497543000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:04.265283108 CEST300049754181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:05.272165060 CEST497563000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:05.277055025 CEST300049756181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:05.277141094 CEST497563000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:05.277530909 CEST497563000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:05.282311916 CEST300049756181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:06.995588064 CEST300049756181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:06.995698929 CEST497563000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:06.995733023 CEST497563000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:07.000708103 CEST300049756181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:08.006462097 CEST497573000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:08.011306047 CEST300049757181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:08.011393070 CEST497573000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:08.011807919 CEST497573000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:08.017365932 CEST300049757181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:10.230598927 CEST300049757181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:10.230766058 CEST497573000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:10.230792999 CEST300049757181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:10.230843067 CEST497573000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:10.230942011 CEST497573000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:10.231070995 CEST300049757181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:10.231121063 CEST497573000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:10.235713005 CEST300049757181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:11.240904093 CEST497583000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:11.245915890 CEST300049758181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:11.246035099 CEST497583000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:11.246515036 CEST497583000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:11.251321077 CEST300049758181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:12.868129969 CEST300049758181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:12.868189096 CEST497583000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:12.868227959 CEST497583000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:12.873071909 CEST300049758181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:13.881449938 CEST497593000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:13.972748041 CEST300049759181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:13.972919941 CEST497593000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:13.973222017 CEST497593000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:13.978007078 CEST300049759181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:15.585535049 CEST300049759181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:15.586864948 CEST497593000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:15.586864948 CEST497593000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:15.591708899 CEST300049759181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:17.462783098 CEST497603000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:17.467940092 CEST300049760181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:17.469825983 CEST497603000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:17.470093966 CEST497603000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:17.474879026 CEST300049760181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:19.090311050 CEST300049760181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:19.095829964 CEST497603000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:19.095887899 CEST497603000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:19.101070881 CEST300049760181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:20.100157022 CEST497613000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:20.105089903 CEST300049761181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:20.105842113 CEST497613000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:20.106061935 CEST497613000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:20.110923052 CEST300049761181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:21.737668037 CEST300049761181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:21.737833977 CEST497613000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:21.737833977 CEST497613000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:21.742639065 CEST300049761181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:22.740811110 CEST497623000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:22.745816946 CEST300049762181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:22.745894909 CEST497623000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:22.746258020 CEST497623000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:22.751141071 CEST300049762181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:24.336410999 CEST300049762181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:24.336477995 CEST497623000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:24.336524010 CEST497623000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:24.342283964 CEST300049762181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:25.350477934 CEST497633000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:25.355752945 CEST300049763181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:25.359834909 CEST497633000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:25.361790895 CEST497633000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:25.366635084 CEST300049763181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:27.056938887 CEST300049763181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:27.057007074 CEST497633000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:27.057151079 CEST497633000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:27.061907053 CEST300049763181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:28.069010019 CEST497643000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:28.073843002 CEST300049764181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:28.073961020 CEST497643000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:28.074218035 CEST497643000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:28.079139948 CEST300049764181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:29.701241970 CEST300049764181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:29.703792095 CEST497643000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:29.703834057 CEST497643000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:29.708657980 CEST300049764181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:30.709517956 CEST497653000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:30.714427948 CEST300049765181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:30.714530945 CEST497653000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:30.714865923 CEST497653000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:30.719718933 CEST300049765181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:32.346985102 CEST300049765181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:32.347057104 CEST497653000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:32.347105026 CEST497653000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:32.351957083 CEST300049765181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:33.355990887 CEST497663000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:33.362613916 CEST300049766181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:33.362694979 CEST497663000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:33.363018036 CEST497663000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:33.367784023 CEST300049766181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:34.996244907 CEST300049766181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:34.996712923 CEST497663000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:34.996968985 CEST497663000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:35.002486944 CEST300049766181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:36.007190943 CEST497673000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:36.012095928 CEST300049767181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:36.012202978 CEST497673000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:36.016164064 CEST497673000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:36.021058083 CEST300049767181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:37.621397018 CEST300049767181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:37.621643066 CEST497673000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:37.621643066 CEST497673000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:37.626650095 CEST300049767181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:38.670813084 CEST497683000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:38.675616980 CEST300049768181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:38.675728083 CEST497683000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:38.683185101 CEST497683000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:38.688014030 CEST300049768181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:40.288626909 CEST300049768181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:40.288733959 CEST497683000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:40.288819075 CEST497683000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:40.294790030 CEST300049768181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:41.263861895 CEST497693000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:41.268727064 CEST300049769181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:41.270802975 CEST497693000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:41.271210909 CEST497693000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:41.276066065 CEST300049769181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:42.923233986 CEST300049769181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:42.923309088 CEST497693000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:42.923341990 CEST497693000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:42.928231001 CEST300049769181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:43.866195917 CEST497703000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:43.874202967 CEST300049770181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:43.879965067 CEST497703000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:43.880176067 CEST497703000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:43.887440920 CEST300049770181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:45.493139982 CEST300049770181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:45.493206978 CEST497703000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:45.493262053 CEST497703000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:45.498054028 CEST300049770181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:46.412866116 CEST497713000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:46.417690992 CEST300049771181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:46.419886112 CEST497713000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:46.420660973 CEST497713000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:46.425441027 CEST300049771181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:48.041011095 CEST300049771181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:48.041096926 CEST497713000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:48.041158915 CEST497713000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:48.046019077 CEST300049771181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:48.928312063 CEST497723000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:48.936212063 CEST300049772181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:48.936289072 CEST497723000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:48.936642885 CEST497723000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:48.944190979 CEST300049772181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:50.587961912 CEST300049772181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:50.591861010 CEST497723000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:50.591905117 CEST497723000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:50.597312927 CEST300049772181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:51.443809032 CEST497733000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:51.448966026 CEST300049773181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:51.449078083 CEST497733000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:51.449368954 CEST497733000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:51.454154015 CEST300049773181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:53.092428923 CEST300049773181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:53.093868971 CEST497733000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:53.093899012 CEST497733000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:53.098754883 CEST300049773181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:53.921057940 CEST497743000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:53.927333117 CEST300049774181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:53.927440882 CEST497743000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:53.927683115 CEST497743000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:53.934052944 CEST300049774181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:55.564436913 CEST300049774181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:55.565974951 CEST497743000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:55.565999031 CEST497743000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:55.570971012 CEST300049774181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:56.365685940 CEST497753000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:56.370835066 CEST300049775181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:56.375828028 CEST497753000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:56.376072884 CEST497753000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:56.380924940 CEST300049775181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:58.038705111 CEST300049775181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:58.038809061 CEST497753000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:58.038872957 CEST497753000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:58.044991970 CEST300049775181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:58.803433895 CEST497763000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:58.808346987 CEST300049776181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:35:58.809820890 CEST497763000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:58.810118914 CEST497763000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:35:58.817707062 CEST300049776181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:36:00.417165995 CEST300049776181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:36:00.417232990 CEST497763000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:36:00.417304993 CEST497763000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:36:00.422179937 CEST300049776181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:36:01.162870884 CEST497773000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:36:01.167872906 CEST300049777181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:36:01.169127941 CEST497773000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:36:01.169383049 CEST497773000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:36:01.174242020 CEST300049777181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:36:02.796135902 CEST300049777181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:36:02.799858093 CEST497773000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:36:02.799904108 CEST497773000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:36:02.805721045 CEST300049777181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:36:03.522655964 CEST497783000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:36:03.529439926 CEST300049778181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:36:03.529509068 CEST497783000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:36:03.529989958 CEST497783000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:36:03.536623001 CEST300049778181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:36:05.178477049 CEST300049778181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:36:05.179848909 CEST497783000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:36:05.179994106 CEST497783000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:36:05.184863091 CEST300049778181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:36:05.881436110 CEST497793000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:36:05.886511087 CEST300049779181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:36:05.886604071 CEST497793000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:36:05.886904001 CEST497793000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:36:05.891753912 CEST300049779181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:36:07.512348890 CEST300049779181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:36:07.513242006 CEST497793000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:36:07.513304949 CEST497793000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:36:07.518240929 CEST300049779181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:36:08.193851948 CEST497803000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:36:08.198903084 CEST300049780181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:36:08.198988914 CEST497803000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:36:08.199280024 CEST497803000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:36:08.204103947 CEST300049780181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:36:09.805697918 CEST300049780181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:36:09.805792093 CEST497803000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:36:09.805881023 CEST497803000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:36:09.811213970 CEST300049780181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:36:10.459902048 CEST497813000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:36:10.464869976 CEST300049781181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:36:10.465004921 CEST497813000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:36:10.466816902 CEST497813000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:36:10.471724033 CEST300049781181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:36:12.101805925 CEST300049781181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:36:12.101880074 CEST497813000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:36:12.101880074 CEST497813000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:36:12.106820107 CEST300049781181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:36:12.725410938 CEST497823000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:36:12.730448961 CEST300049782181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:36:12.730534077 CEST497823000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:36:12.730823994 CEST497823000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:36:12.735748053 CEST300049782181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:36:14.384778976 CEST300049782181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:36:14.384859085 CEST497823000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:36:14.384905100 CEST497823000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:36:14.389754057 CEST300049782181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:36:14.991604090 CEST497833000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:36:14.996668100 CEST300049783181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:36:14.996737003 CEST497833000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:36:14.997247934 CEST497833000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:36:15.002856016 CEST300049783181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:36:16.651454926 CEST300049783181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:36:16.651546955 CEST497833000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:36:16.651604891 CEST497833000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:36:16.656519890 CEST300049783181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:36:18.123048067 CEST497843000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:18.128056049 CEST300049784191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:18.128230095 CEST497843000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:18.135051966 CEST497843000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:18.139893055 CEST300049784191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:19.769258022 CEST300049784191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:19.771850109 CEST497843000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:19.771883965 CEST497843000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:19.777367115 CEST300049784191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:20.350317955 CEST497853000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:20.355340004 CEST300049785191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:20.355467081 CEST497853000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:20.355732918 CEST497853000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:20.360605001 CEST300049785191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:22.036358118 CEST300049785191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:22.036695004 CEST497853000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:22.036789894 CEST497853000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:22.041753054 CEST300049785191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:22.584841967 CEST497863000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:22.590146065 CEST300049786191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:22.590226889 CEST497863000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:22.590615034 CEST497863000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:22.595451117 CEST300049786191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:24.238040924 CEST300049786191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:24.238097906 CEST497863000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:24.241019011 CEST497863000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:24.245851994 CEST300049786191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:24.784708023 CEST497873000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:24.864521027 CEST300049787191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:24.867852926 CEST497873000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:24.868199110 CEST497873000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:24.873366117 CEST300049787191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:26.513170004 CEST300049787191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:26.513250113 CEST497873000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:26.513292074 CEST497873000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:26.518106937 CEST300049787191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:27.022373915 CEST497883000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:27.027403116 CEST300049788191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:27.027836084 CEST497883000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:27.028076887 CEST497883000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:27.032857895 CEST300049788191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:28.715173006 CEST300049788191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:28.715352058 CEST497883000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:28.715955973 CEST497883000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:28.720861912 CEST300049788191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:29.209489107 CEST497893000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:29.214323997 CEST300049789191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:29.214396954 CEST497893000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:29.214817047 CEST497893000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:29.219722986 CEST300049789191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:30.869477034 CEST300049789191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:30.872008085 CEST497893000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:30.872008085 CEST497893000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:30.877002001 CEST300049789191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:31.350684881 CEST497903000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:31.356623888 CEST300049790191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:31.359970093 CEST497903000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:31.360193014 CEST497903000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:31.365227938 CEST300049790191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:33.001405001 CEST300049790191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:33.001482964 CEST497903000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:33.001589060 CEST497903000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:33.006906033 CEST300049790191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:33.475462914 CEST497913000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:33.480422020 CEST300049791191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:33.481878996 CEST497913000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:33.482182026 CEST497913000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:33.487026930 CEST300049791191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:35.221975088 CEST300049791191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:35.222053051 CEST497913000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:35.222086906 CEST497913000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:35.226996899 CEST300049791191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:35.678905964 CEST497923000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:35.683943033 CEST300049792191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:35.684046984 CEST497923000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:35.684582949 CEST497923000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:35.689495087 CEST300049792191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:37.342328072 CEST300049792191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:37.343895912 CEST497923000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:37.343986988 CEST497923000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:37.348803043 CEST300049792191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:37.788068056 CEST497933000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:37.792980909 CEST300049793191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:37.795887947 CEST497933000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:37.796191931 CEST497933000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:37.801000118 CEST300049793191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:39.422451019 CEST300049793191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:39.422512054 CEST497933000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:39.422560930 CEST497933000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:39.427380085 CEST300049793191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:39.850377083 CEST497943000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:39.855349064 CEST300049794191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:39.855864048 CEST497943000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:39.856113911 CEST497943000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:39.860923052 CEST300049794191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:41.516691923 CEST300049794191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:41.519912004 CEST497943000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:41.519953012 CEST497943000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:41.531445980 CEST300049794191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:41.928416967 CEST497953000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:41.933473110 CEST300049795191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:41.933557034 CEST497953000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:41.933842897 CEST497953000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:41.938846111 CEST300049795191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:43.563442945 CEST300049795191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:43.563932896 CEST497953000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:43.564083099 CEST497953000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:43.568999052 CEST300049795191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:43.959853888 CEST497963000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:43.964821100 CEST300049796191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:43.967914104 CEST497963000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:43.968198061 CEST497963000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:43.973440886 CEST300049796191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:45.609800100 CEST300049796191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:45.609898090 CEST497963000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:45.609935045 CEST497963000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:45.614871025 CEST300049796191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:45.990956068 CEST497973000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:45.996129990 CEST300049797191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:45.999011993 CEST497973000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:45.999181032 CEST497973000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:46.004122019 CEST300049797191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:47.654750109 CEST300049797191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:47.654846907 CEST497973000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:47.654846907 CEST497973000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:47.660459995 CEST300049797191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:48.022102118 CEST497983000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:48.026993990 CEST300049798191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:48.031904936 CEST497983000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:48.032294035 CEST497983000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:48.037077904 CEST300049798191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:49.656817913 CEST300049798191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:49.658921003 CEST497983000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:49.658968925 CEST497983000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:49.663847923 CEST300049798191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:50.022844076 CEST497993000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:50.027662039 CEST300049799191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:50.027761936 CEST497993000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:50.028017044 CEST497993000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:50.032757998 CEST300049799191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:51.656981945 CEST300049799191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:51.659915924 CEST497993000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:51.659961939 CEST497993000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:51.665338993 CEST300049799191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:52.006844044 CEST498003000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:52.103914022 CEST300049800191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:52.106983900 CEST498003000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:52.107220888 CEST498003000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:52.112010002 CEST300049800191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:53.759380102 CEST300049800191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:53.759998083 CEST498003000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:53.760139942 CEST498003000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:53.764900923 CEST300049800191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:54.100276947 CEST498013000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:54.107501030 CEST300049801191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:54.107588053 CEST498013000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:54.107980967 CEST498013000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:54.113934040 CEST300049801191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:55.829946041 CEST300049801191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:55.831935883 CEST498013000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:55.832050085 CEST498013000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:55.837218046 CEST300049801191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:56.162935972 CEST498023000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:56.279170990 CEST300049802191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:56.279295921 CEST498023000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:56.279656887 CEST498023000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:56.284436941 CEST300049802191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:57.942223072 CEST300049802191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:57.943900108 CEST498023000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:57.943984032 CEST498023000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:57.948930025 CEST300049802191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:58.256902933 CEST498033000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:58.261900902 CEST300049803191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:58.261974096 CEST498033000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:58.262233019 CEST498033000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:58.267056942 CEST300049803191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:59.896622896 CEST300049803191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:36:59.896770000 CEST498033000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:59.896961927 CEST498033000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:36:59.901741028 CEST300049803191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:00.200993061 CEST498043000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:00.207323074 CEST300049804191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:00.207437038 CEST498043000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:00.207690001 CEST498043000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:00.212486982 CEST300049804191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:01.846170902 CEST300049804191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:01.846282959 CEST498043000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:01.849546909 CEST498043000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:01.854399920 CEST300049804191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:02.147325993 CEST498053000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:02.155786037 CEST300049805191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:02.159913063 CEST498053000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:02.160295963 CEST498053000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:02.169362068 CEST300049805191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:03.789773941 CEST300049805191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:03.790096045 CEST498053000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:03.790174007 CEST498053000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:03.801376104 CEST300049805191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:04.069336891 CEST498063000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:04.076814890 CEST300049806191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:04.079907894 CEST498063000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:04.080144882 CEST498063000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:04.087213993 CEST300049806191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:05.834904909 CEST300049806191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:05.834980965 CEST498063000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:05.835024118 CEST498063000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:05.839903116 CEST300049806191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:06.116015911 CEST498073000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:06.120887041 CEST300049807191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:06.120980024 CEST498073000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:06.121387959 CEST498073000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:06.126276016 CEST300049807191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:07.757646084 CEST300049807191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:07.758519888 CEST498073000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:07.758519888 CEST498073000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:07.763688087 CEST300049807191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:08.023453951 CEST498083000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:08.029361010 CEST300049808191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:08.029467106 CEST498083000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:08.029963970 CEST498083000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:08.034778118 CEST300049808191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:09.706664085 CEST300049808191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:09.706727028 CEST498083000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:09.706779957 CEST498083000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:09.711972952 CEST300049808191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:09.959534883 CEST498093000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:09.964624882 CEST300049809191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:09.964695930 CEST498093000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:09.965029001 CEST498093000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:09.969960928 CEST300049809191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:11.611927032 CEST300049809191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:11.612832069 CEST498093000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:11.612888098 CEST498093000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:11.617748976 CEST300049809191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:11.866123915 CEST498103000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:11.871264935 CEST300049810191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:11.871939898 CEST498103000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:11.875094891 CEST498103000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:11.879955053 CEST300049810191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:13.506230116 CEST300049810191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:13.506309986 CEST498103000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:13.506367922 CEST498103000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:13.511295080 CEST300049810191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:13.740791082 CEST498113000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:13.745745897 CEST300049811191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:13.745826960 CEST498113000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:13.746061087 CEST498113000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:13.750884056 CEST300049811191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:15.396466970 CEST300049811191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:15.397411108 CEST498113000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:15.397447109 CEST498113000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:15.402493000 CEST300049811191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:15.632208109 CEST498123000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:15.637167931 CEST300049812191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:15.638328075 CEST498123000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:15.638813019 CEST498123000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:15.643652916 CEST300049812191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:17.461575985 CEST300049812191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:17.463973045 CEST498123000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:17.464071035 CEST498123000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:17.694286108 CEST498133000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:17.765299082 CEST498123000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:17.772922039 CEST300049812191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:17.772958040 CEST300049812191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:17.772974968 CEST498123000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:17.773015976 CEST498123000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:17.774553061 CEST300049812191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:17.774595022 CEST300049813191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:17.774607897 CEST300049812191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:17.774693012 CEST498123000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:17.774790049 CEST498133000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:17.775051117 CEST498133000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:17.779822111 CEST300049813191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:19.429424047 CEST300049813191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:19.430798054 CEST498133000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:19.430834055 CEST498133000192.168.2.4191.93.114.27
                                  Sep 26, 2024 11:37:19.435893059 CEST300049813191.93.114.27192.168.2.4
                                  Sep 26, 2024 11:37:21.329312086 CEST498143000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:21.334170103 CEST300049814181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:21.334271908 CEST498143000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:21.334645033 CEST498143000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:21.339427948 CEST300049814181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:22.947079897 CEST300049814181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:22.948074102 CEST498143000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:22.948074102 CEST498143000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:22.953068972 CEST300049814181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:23.163005114 CEST498153000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:23.168956995 CEST300049815181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:23.171933889 CEST498153000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:23.172225952 CEST498153000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:23.177088976 CEST300049815181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:24.811614037 CEST300049815181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:24.811712027 CEST498153000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:24.811768055 CEST498153000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:24.816529036 CEST300049815181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:25.022253990 CEST498163000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:25.027215958 CEST300049816181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:25.027287960 CEST498163000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:25.027571917 CEST498163000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:25.032346964 CEST300049816181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:26.654154062 CEST300049816181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:26.654263973 CEST498163000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:26.654263973 CEST498163000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:26.659493923 CEST300049816181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:26.850481987 CEST498173000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:26.855370045 CEST300049817181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:26.856147051 CEST498173000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:26.856213093 CEST498173000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:26.861073017 CEST300049817181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:28.646444082 CEST300049817181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:28.649647951 CEST498173000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:28.649647951 CEST498173000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:28.656821012 CEST300049817181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:28.835000992 CEST498183000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:28.840879917 CEST300049818181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:28.840949059 CEST498183000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:28.841243029 CEST498183000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:28.846152067 CEST300049818181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:30.666264057 CEST300049818181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:30.667015076 CEST498183000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:30.667015076 CEST498183000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:30.671937943 CEST300049818181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:30.851455927 CEST498193000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:30.856473923 CEST300049819181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:30.856570005 CEST498193000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:30.857043982 CEST498193000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:30.861860037 CEST300049819181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:32.484139919 CEST300049819181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:32.486351013 CEST498193000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:32.486654043 CEST498193000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:32.491358995 CEST300049819181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:32.662733078 CEST498203000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:32.667912960 CEST300049820181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:32.668011904 CEST498203000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:32.668308020 CEST498203000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:32.673079967 CEST300049820181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:34.307770014 CEST300049820181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:34.307933092 CEST498203000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:34.307964087 CEST498203000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:34.312843084 CEST300049820181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:34.475313902 CEST498213000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:35.379219055 CEST300049821181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:35.379944086 CEST498213000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:35.380230904 CEST498213000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:35.385004044 CEST300049821181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:36.980432987 CEST300049821181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:36.980515003 CEST498213000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:36.980556965 CEST498213000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:36.985374928 CEST300049821181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:37.147317886 CEST498223000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:37.152713060 CEST300049822181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:37.152784109 CEST498223000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:37.153101921 CEST498223000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:37.157923937 CEST300049822181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:38.744685888 CEST300049822181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:38.746983051 CEST498223000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:38.747035980 CEST498223000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:38.751914024 CEST300049822181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:38.913017035 CEST498233000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:38.918050051 CEST300049823181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:38.919027090 CEST498233000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:38.919346094 CEST498233000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:38.924124002 CEST300049823181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:40.541712046 CEST300049823181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:40.541801929 CEST498233000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:40.541892052 CEST498233000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:40.546844959 CEST300049823181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:40.694220066 CEST498243000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:40.699214935 CEST300049824181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:40.699296951 CEST498243000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:40.699559927 CEST498243000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:40.704341888 CEST300049824181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:42.399549007 CEST300049824181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:42.399992943 CEST498243000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:42.400079012 CEST498243000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:42.404954910 CEST300049824181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:42.553224087 CEST498253000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:42.558420897 CEST300049825181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:42.559320927 CEST498253000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:42.559612989 CEST498253000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:42.564379930 CEST300049825181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:44.184112072 CEST300049825181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:44.187961102 CEST498253000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:44.188018084 CEST498253000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:44.192842960 CEST300049825181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:44.334507942 CEST498263000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:44.339441061 CEST300049826181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:44.342017889 CEST498263000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:44.342304945 CEST498263000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:44.347121000 CEST300049826181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:45.965357065 CEST300049826181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:45.966994047 CEST498263000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:45.967051029 CEST498263000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:45.971950054 CEST300049826181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:46.115822077 CEST498273000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:46.121107101 CEST300049827181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:46.121227026 CEST498273000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:46.121468067 CEST498273000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:46.126310110 CEST300049827181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:47.724117041 CEST300049827181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:47.724226952 CEST498273000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:47.724349022 CEST498273000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:47.729149103 CEST300049827181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:47.865788937 CEST498283000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:47.870587111 CEST300049828181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:47.871959925 CEST498283000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:47.872234106 CEST498283000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:47.877105951 CEST300049828181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:49.504849911 CEST300049828181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:49.507988930 CEST498283000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:49.508018970 CEST498283000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:49.513556957 CEST300049828181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:49.647209883 CEST498293000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:49.652477980 CEST300049829181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:49.652690887 CEST498293000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:49.652940989 CEST498293000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:49.657876015 CEST300049829181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:51.298618078 CEST300049829181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:51.300024986 CEST498293000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:51.300138950 CEST498293000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:51.305085897 CEST300049829181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:51.428355932 CEST498303000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:51.433315039 CEST300049830181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:51.433407068 CEST498303000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:51.433661938 CEST498303000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:51.438416958 CEST300049830181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:53.072801113 CEST300049830181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:53.074476957 CEST498303000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:53.078147888 CEST498303000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:53.082942009 CEST300049830181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:53.193825960 CEST498313000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:53.199754953 CEST300049831181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:53.199954033 CEST498313000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:53.200242996 CEST498313000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:53.205084085 CEST300049831181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:54.807533979 CEST300049831181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:54.808020115 CEST498313000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:54.808094978 CEST498313000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:54.812829971 CEST300049831181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:54.928560019 CEST498323000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:54.933485985 CEST300049832181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:54.935997963 CEST498323000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:54.936305046 CEST498323000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:54.941134930 CEST300049832181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:56.542968988 CEST300049832181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:56.543109894 CEST498323000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:56.543184042 CEST498323000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:56.548043013 CEST300049832181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:56.662699938 CEST498333000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:56.667745113 CEST300049833181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:56.667865992 CEST498333000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:56.668144941 CEST498333000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:56.673002005 CEST300049833181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:58.320365906 CEST300049833181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:58.324055910 CEST498333000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:58.324057102 CEST498333000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:58.328902006 CEST300049833181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:58.443980932 CEST498343000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:58.448868036 CEST300049834181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:37:58.449003935 CEST498343000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:58.449505091 CEST498343000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:37:58.454333067 CEST300049834181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:38:00.077699900 CEST300049834181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:38:00.077759027 CEST498343000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:00.077846050 CEST498343000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:00.082621098 CEST300049834181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:38:00.193869114 CEST498353000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:00.199027061 CEST300049835181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:38:00.199141979 CEST498353000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:00.199428082 CEST498353000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:00.204327106 CEST300049835181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:38:01.826816082 CEST300049835181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:38:01.826905966 CEST498353000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:01.827011108 CEST498353000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:01.831825972 CEST300049835181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:38:01.928442001 CEST498363000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:01.933263063 CEST300049836181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:38:01.933386087 CEST498363000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:01.933691978 CEST498363000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:01.938555002 CEST300049836181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:38:03.647799969 CEST300049836181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:38:03.650023937 CEST498363000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:03.654254913 CEST498363000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:03.659379959 CEST300049836181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:38:03.756330013 CEST498373000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:03.761179924 CEST300049837181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:38:03.762135983 CEST498373000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:03.762358904 CEST498373000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:03.767406940 CEST300049837181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:38:05.387011051 CEST300049837181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:38:05.390070915 CEST498373000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:05.390120983 CEST498373000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:05.394994974 CEST300049837181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:38:05.490952969 CEST498383000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:05.498744965 CEST300049838181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:38:05.498812914 CEST498383000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:05.499043941 CEST498383000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:05.503875017 CEST300049838181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:38:07.124653101 CEST300049838181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:38:07.126053095 CEST498383000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:07.126085043 CEST498383000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:07.131577015 CEST300049838181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:38:07.227191925 CEST498393000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:07.232309103 CEST300049839181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:38:07.232382059 CEST498393000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:07.232660055 CEST498393000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:07.237474918 CEST300049839181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:38:08.858896017 CEST300049839181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:38:08.860064030 CEST498393000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:08.879251957 CEST498393000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:08.886106968 CEST300049839181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:38:08.987725973 CEST498403000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:08.992531061 CEST300049840181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:38:08.992614031 CEST498403000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:08.993541002 CEST498403000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:08.998292923 CEST300049840181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:38:10.710722923 CEST300049840181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:38:10.710791111 CEST498403000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:10.710838079 CEST498403000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:10.715662003 CEST300049840181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:38:10.804162025 CEST498413000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:10.809096098 CEST300049841181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:38:10.809165955 CEST498413000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:10.809689999 CEST498413000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:10.814474106 CEST300049841181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:38:12.437180042 CEST300049841181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:38:12.437283039 CEST498413000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:12.437483072 CEST498413000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:12.442183971 CEST300049841181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:38:12.522602081 CEST498423000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:12.527822971 CEST300049842181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:38:12.527920961 CEST498423000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:12.528219938 CEST498423000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:12.533312082 CEST300049842181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:38:14.172547102 CEST300049842181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:38:14.176069021 CEST498423000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:14.176109076 CEST498423000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:14.180942059 CEST300049842181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:38:14.256783009 CEST498433000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:14.262777090 CEST300049843181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:38:14.264071941 CEST498433000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:14.264370918 CEST498433000192.168.2.4181.236.206.3
                                  Sep 26, 2024 11:38:14.269592047 CEST300049843181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:38:15.985991955 CEST300049843181.236.206.3192.168.2.4
                                  Sep 26, 2024 11:38:15.986181021 CEST498433000192.168.2.4181.236.206.3

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Sep 26, 2024 11:34:08.573879004 CEST6437453192.168.2.41.1.1.1
                                  Sep 26, 2024 11:34:09.568046093 CEST6437453192.168.2.41.1.1.1
                                  Sep 26, 2024 11:34:10.568150997 CEST6437453192.168.2.41.1.1.1
                                  Sep 26, 2024 11:34:12.583479881 CEST6437453192.168.2.41.1.1.1
                                  Sep 26, 2024 11:34:12.583545923 CEST53643741.1.1.1192.168.2.4
                                  Sep 26, 2024 11:34:12.583559036 CEST53643741.1.1.1192.168.2.4
                                  Sep 26, 2024 11:34:12.583574057 CEST53643741.1.1.1192.168.2.4
                                  Sep 26, 2024 11:34:12.590177059 CEST53643741.1.1.1192.168.2.4
                                  Sep 26, 2024 11:34:13.599517107 CEST5144253192.168.2.41.1.1.1
                                  Sep 26, 2024 11:34:14.599195004 CEST5144253192.168.2.41.1.1.1
                                  Sep 26, 2024 11:34:14.957510948 CEST53514421.1.1.1192.168.2.4
                                  Sep 26, 2024 11:34:14.957540035 CEST53514421.1.1.1192.168.2.4
                                  Sep 26, 2024 11:35:16.599895954 CEST5355753192.168.2.41.1.1.1
                                  Sep 26, 2024 11:35:17.461158991 CEST53535571.1.1.1192.168.2.4
                                  Sep 26, 2024 11:36:17.240339994 CEST5189053192.168.2.41.1.1.1
                                  Sep 26, 2024 11:36:18.114399910 CEST53518901.1.1.1192.168.2.4
                                  Sep 26, 2024 11:37:19.646605015 CEST5780053192.168.2.41.1.1.1
                                  Sep 26, 2024 11:37:20.646203995 CEST5780053192.168.2.41.1.1.1
                                  Sep 26, 2024 11:37:21.328002930 CEST53578001.1.1.1192.168.2.4
                                  Sep 26, 2024 11:37:21.328042030 CEST53578001.1.1.1192.168.2.4

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Sep 26, 2024 11:34:08.573879004 CEST192.168.2.41.1.1.10x7487Standard query (0)23spt.duckdns.orgA (IP address)IN (0x0001)false
                                  Sep 26, 2024 11:34:09.568046093 CEST192.168.2.41.1.1.10x7487Standard query (0)23spt.duckdns.orgA (IP address)IN (0x0001)false
                                  Sep 26, 2024 11:34:10.568150997 CEST192.168.2.41.1.1.10x7487Standard query (0)23spt.duckdns.orgA (IP address)IN (0x0001)false
                                  Sep 26, 2024 11:34:12.583479881 CEST192.168.2.41.1.1.10x7487Standard query (0)23spt.duckdns.orgA (IP address)IN (0x0001)false
                                  Sep 26, 2024 11:34:13.599517107 CEST192.168.2.41.1.1.10xee6eStandard query (0)23spt.duckdns.orgA (IP address)IN (0x0001)false
                                  Sep 26, 2024 11:34:14.599195004 CEST192.168.2.41.1.1.10xee6eStandard query (0)23spt.duckdns.orgA (IP address)IN (0x0001)false
                                  Sep 26, 2024 11:35:16.599895954 CEST192.168.2.41.1.1.10x8efcStandard query (0)23spt.duckdns.orgA (IP address)IN (0x0001)false
                                  Sep 26, 2024 11:36:17.240339994 CEST192.168.2.41.1.1.10x3034Standard query (0)23spt.duckdns.orgA (IP address)IN (0x0001)false
                                  Sep 26, 2024 11:37:19.646605015 CEST192.168.2.41.1.1.10x83b4Standard query (0)23spt.duckdns.orgA (IP address)IN (0x0001)false
                                  Sep 26, 2024 11:37:20.646203995 CEST192.168.2.41.1.1.10x83b4Standard query (0)23spt.duckdns.orgA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Sep 26, 2024 11:34:12.583545923 CEST1.1.1.1192.168.2.40x7487Server failure (2)23spt.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                  Sep 26, 2024 11:34:12.583559036 CEST1.1.1.1192.168.2.40x7487Server failure (2)23spt.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                  Sep 26, 2024 11:34:12.583574057 CEST1.1.1.1192.168.2.40x7487Server failure (2)23spt.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                  Sep 26, 2024 11:34:12.590177059 CEST1.1.1.1192.168.2.40x7487Server failure (2)23spt.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                  Sep 26, 2024 11:34:14.957510948 CEST1.1.1.1192.168.2.40xee6eNo error (0)23spt.duckdns.org181.236.206.3A (IP address)IN (0x0001)false
                                  Sep 26, 2024 11:34:14.957540035 CEST1.1.1.1192.168.2.40xee6eNo error (0)23spt.duckdns.org181.236.206.3A (IP address)IN (0x0001)false
                                  Sep 26, 2024 11:35:17.461158991 CEST1.1.1.1192.168.2.40x8efcNo error (0)23spt.duckdns.org181.236.206.3A (IP address)IN (0x0001)false
                                  Sep 26, 2024 11:36:18.114399910 CEST1.1.1.1192.168.2.40x3034No error (0)23spt.duckdns.org191.93.114.27A (IP address)IN (0x0001)false
                                  Sep 26, 2024 11:37:21.328002930 CEST1.1.1.1192.168.2.40x83b4No error (0)23spt.duckdns.org181.236.206.3A (IP address)IN (0x0001)false
                                  Sep 26, 2024 11:37:21.328042030 CEST1.1.1.1192.168.2.40x83b4No error (0)23spt.duckdns.org181.236.206.3A (IP address)IN (0x0001)false

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:05:34:07
                                  Start date:26/09/2024
                                  Path:C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe"
                                  Imagebase:0x400000
                                  File size:494'080 bytes
                                  MD5 hash:599D0AACC8A8B93E5AA5A2EAE248CB01
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4139200887.00000000022FF000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000000.1678896409.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000000.1678896409.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.1678896409.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000000.1678896409.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4139021655.000000000078E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:false

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:4%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:22.8%
                                    Total number of Nodes:1261
                                    Total number of Limit Nodes:44
                                    execution_graph 46547 4437fd 46548 443806 46547->46548 46549 44381f 46547->46549 46550 44380e 46548->46550 46554 443885 46548->46554 46552 443816 46552->46550 46565 443b52 22 API calls 2 library calls 46552->46565 46555 443891 46554->46555 46556 44388e 46554->46556 46566 44f45d GetEnvironmentStringsW 46555->46566 46556->46552 46561 4438a9 46574 446802 20 API calls _free 46561->46574 46562 4438d3 46562->46552 46564 44389e 46575 446802 20 API calls _free 46564->46575 46565->46549 46567 44f471 46566->46567 46568 443898 46566->46568 46576 4461b8 46567->46576 46568->46564 46573 4439aa 26 API calls 3 library calls 46568->46573 46571 44f485 ctype 46583 446802 20 API calls _free 46571->46583 46572 44f49f FreeEnvironmentStringsW 46572->46568 46573->46561 46574->46564 46575->46562 46577 4461f6 46576->46577 46581 4461c6 __Getctype 46576->46581 46585 44062d 20 API calls __dosmaperr 46577->46585 46578 4461e1 RtlAllocateHeap 46580 4461f4 46578->46580 46578->46581 46580->46571 46581->46577 46581->46578 46584 443001 7 API calls 2 library calls 46581->46584 46583->46572 46584->46581 46585->46580 46586 43bea8 46589 43beb4 _swprintf ___BuildCatchObject 46586->46589 46587 43bec2 46602 44062d 20 API calls __dosmaperr 46587->46602 46589->46587 46590 43beec 46589->46590 46597 445909 EnterCriticalSection 46590->46597 46592 43bec7 ___BuildCatchObject ___std_exception_copy 46593 43bef7 46598 43bf98 46593->46598 46597->46593 46600 43bfa6 46598->46600 46599 43bf02 46603 43bf1f LeaveCriticalSection std::_Lockit::~_Lockit 46599->46603 46600->46599 46604 4497ec 37 API calls 2 library calls 46600->46604 46602->46592 46603->46592 46604->46600 46605 434918 46606 434924 ___BuildCatchObject 46605->46606 46632 434627 46606->46632 46608 43492b 46610 434954 46608->46610 46930 434a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 46608->46930 46619 434993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46610->46619 46931 4442d2 5 API calls ___crtLCMapStringA 46610->46931 46612 43496d 46614 434973 ___BuildCatchObject 46612->46614 46932 444276 5 API calls ___crtLCMapStringA 46612->46932 46615 4349f3 46643 434ba5 46615->46643 46619->46615 46933 443487 36 API calls 6 library calls 46619->46933 46625 434a15 46626 434a1f 46625->46626 46935 4434bf 28 API calls _Atexit 46625->46935 46628 434a28 46626->46628 46936 443462 28 API calls _Atexit 46626->46936 46937 43479e 13 API calls 2 library calls 46628->46937 46631 434a30 46631->46614 46633 434630 46632->46633 46938 434cb6 IsProcessorFeaturePresent 46633->46938 46635 43463c 46939 438fb1 10 API calls 4 library calls 46635->46939 46637 434641 46638 434645 46637->46638 46940 44415f IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46637->46940 46638->46608 46640 43464e 46641 43465c 46640->46641 46941 438fda 8 API calls 3 library calls 46640->46941 46641->46608 46942 436f10 46643->46942 46646 4349f9 46647 444223 46646->46647 46944 44f0d9 46647->46944 46649 44422c 46650 434a02 46649->46650 46948 446895 36 API calls 46649->46948 46652 40ea00 46650->46652 46950 41cbe1 LoadLibraryA GetProcAddress 46652->46950 46654 40ea1c GetModuleFileNameW 46955 40f3fe 46654->46955 46656 40ea38 46970 4020f6 46656->46970 46659 4020f6 28 API calls 46660 40ea56 46659->46660 46976 41beac 46660->46976 46664 40ea68 47002 401e8d 46664->47002 46666 40ea71 46667 40ea84 46666->46667 46668 40eace 46666->46668 47265 40fbee 97 API calls 46667->47265 47008 401e65 46668->47008 46671 40ea96 46673 401e65 22 API calls 46671->46673 46672 40eade 46675 401e65 22 API calls 46672->46675 46674 40eaa2 46673->46674 47266 410f72 36 API calls __EH_prolog 46674->47266 46676 40eafd 46675->46676 47013 40531e 46676->47013 46679 40eb0c 47018 406383 46679->47018 46680 40eab4 47267 40fb9f 78 API calls 46680->47267 46684 40eabd 47268 40f3eb 71 API calls 46684->47268 46690 401fd8 11 API calls 46692 40ef36 46690->46692 46691 401fd8 11 API calls 46693 40eb36 46691->46693 46934 443396 GetModuleHandleW 46692->46934 46694 401e65 22 API calls 46693->46694 46695 40eb3f 46694->46695 47035 401fc0 46695->47035 46697 40eb4a 46698 401e65 22 API calls 46697->46698 46699 40eb63 46698->46699 46700 401e65 22 API calls 46699->46700 46701 40eb7e 46700->46701 46702 40ebe9 46701->46702 47269 406c59 46701->47269 46703 401e65 22 API calls 46702->46703 46709 40ebf6 46703->46709 46705 40ebab 46706 401fe2 28 API calls 46705->46706 46707 40ebb7 46706->46707 46708 401fd8 11 API calls 46707->46708 46711 40ebc0 46708->46711 46710 40ec3d 46709->46710 46715 413584 3 API calls 46709->46715 47039 40d0a4 46710->47039 47274 413584 RegOpenKeyExA 46711->47274 46713 40ec43 46714 40eac6 46713->46714 47042 41b354 46713->47042 46714->46690 46721 40ec21 46715->46721 46719 40f38a 47357 4139e4 30 API calls 46719->47357 46720 40ec5e 46722 40ecb1 46720->46722 47059 407751 46720->47059 46721->46710 47277 4139e4 30 API calls 46721->47277 46724 401e65 22 API calls 46722->46724 46727 40ecba 46724->46727 46736 40ecc6 46727->46736 46737 40eccb 46727->46737 46729 40f3a0 47358 4124b0 65 API calls ___scrt_fastfail 46729->47358 46730 40ec87 46734 401e65 22 API calls 46730->46734 46731 40ec7d 47278 407773 30 API calls 46731->47278 46745 40ec90 46734->46745 46735 40f3aa 46739 41bcef 28 API calls 46735->46739 47281 407790 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 46736->47281 46742 401e65 22 API calls 46737->46742 46738 40ec82 47279 40729b 98 API calls 46738->47279 46743 40f3ba 46739->46743 46744 40ecd4 46742->46744 47168 413a5e RegOpenKeyExW 46743->47168 47063 41bcef 46744->47063 46745->46722 46750 40ecac 46745->46750 46748 40ecdf 47067 401f13 46748->47067 47280 40729b 98 API calls 46750->47280 46754 401f09 11 API calls 46756 40f3d7 46754->46756 46758 401f09 11 API calls 46756->46758 46760 40f3e0 46758->46760 46759 401e65 22 API calls 46761 40ecfc 46759->46761 47171 40dd7d 46760->47171 46765 401e65 22 API calls 46761->46765 46767 40ed16 46765->46767 46766 40f3ea 46768 401e65 22 API calls 46767->46768 46769 40ed30 46768->46769 46770 401e65 22 API calls 46769->46770 46771 40ed49 46770->46771 46772 40edb6 46771->46772 46773 401e65 22 API calls 46771->46773 46774 40edc5 46772->46774 46780 40ef41 ___scrt_fastfail 46772->46780 46778 40ed5e _wcslen 46773->46778 46775 40edce 46774->46775 46803 40ee4a ___scrt_fastfail 46774->46803 46776 401e65 22 API calls 46775->46776 46777 40edd7 46776->46777 46779 401e65 22 API calls 46777->46779 46778->46772 46782 401e65 22 API calls 46778->46782 46781 40ede9 46779->46781 47342 413733 RegOpenKeyExA 46780->47342 46785 401e65 22 API calls 46781->46785 46783 40ed79 46782->46783 46786 401e65 22 API calls 46783->46786 46787 40edfb 46785->46787 46788 40ed8e 46786->46788 46790 401e65 22 API calls 46787->46790 47282 40da6f 46788->47282 46789 40ef8c 46791 401e65 22 API calls 46789->46791 46793 40ee24 46790->46793 46794 40efb1 46791->46794 46799 401e65 22 API calls 46793->46799 47089 402093 46794->47089 46796 401f13 28 API calls 46798 40edad 46796->46798 46801 401f09 11 API calls 46798->46801 46802 40ee35 46799->46802 46800 40efc3 47095 4137aa RegCreateKeyA 46800->47095 46801->46772 47340 40ce34 46 API calls _wcslen 46802->47340 47079 413982 46803->47079 46807 40ee45 46807->46803 46809 40eede ctype 46812 401e65 22 API calls 46809->46812 46810 401e65 22 API calls 46811 40efe5 46810->46811 47101 43bb2c 46811->47101 46813 40eef5 46812->46813 46813->46789 46816 40ef09 46813->46816 46819 401e65 22 API calls 46816->46819 46817 40effc 47345 41ce2c 88 API calls ___scrt_fastfail 46817->47345 46818 40f01f 46823 402093 28 API calls 46818->46823 46820 40ef12 46819->46820 46824 41bcef 28 API calls 46820->46824 46822 40f003 CreateThread 46822->46818 48208 41d4ee 10 API calls 46822->48208 46825 40f034 46823->46825 46826 40ef1e 46824->46826 46827 402093 28 API calls 46825->46827 47341 40f4af 107 API calls 46826->47341 46829 40f043 46827->46829 47105 41b580 46829->47105 46830 40ef23 46830->46789 46832 40ef2a 46830->46832 46832->46714 46834 401e65 22 API calls 46835 40f054 46834->46835 46836 401e65 22 API calls 46835->46836 46837 40f066 46836->46837 46838 401e65 22 API calls 46837->46838 46839 40f086 46838->46839 46840 43bb2c 40 API calls 46839->46840 46841 40f093 46840->46841 46842 401e65 22 API calls 46841->46842 46843 40f09e 46842->46843 46844 401e65 22 API calls 46843->46844 46845 40f0af 46844->46845 46846 401e65 22 API calls 46845->46846 46847 40f0c4 46846->46847 46848 401e65 22 API calls 46847->46848 46849 40f0d5 46848->46849 46850 40f0dc StrToIntA 46849->46850 47129 409e1f 46850->47129 46853 401e65 22 API calls 46854 40f0f7 46853->46854 46855 40f103 46854->46855 46856 40f13c 46854->46856 47346 43455e 46855->47346 46859 401e65 22 API calls 46856->46859 46861 40f14c 46859->46861 46860 401e65 22 API calls 46862 40f11f 46860->46862 46864 40f194 46861->46864 46865 40f158 46861->46865 46863 40f126 CreateThread 46862->46863 46863->46856 48212 41a045 110 API calls __EH_prolog 46863->48212 46866 401e65 22 API calls 46864->46866 46867 43455e new 22 API calls 46865->46867 46868 40f19d 46866->46868 46869 40f161 46867->46869 46872 40f207 46868->46872 46873 40f1a9 46868->46873 46870 401e65 22 API calls 46869->46870 46871 40f173 46870->46871 46874 40f17a CreateThread 46871->46874 46875 401e65 22 API calls 46872->46875 46876 401e65 22 API calls 46873->46876 46874->46864 48211 41a045 110 API calls __EH_prolog 46874->48211 46877 40f210 46875->46877 46878 40f1b9 46876->46878 46879 40f255 46877->46879 46880 40f21c 46877->46880 46881 401e65 22 API calls 46878->46881 47154 41b69e GetComputerNameExW GetUserNameW 46879->47154 46883 401e65 22 API calls 46880->46883 46884 40f1ce 46881->46884 46886 40f225 46883->46886 47353 40da23 32 API calls 46884->47353 46890 401e65 22 API calls 46886->46890 46887 401f13 28 API calls 46889 40f269 46887->46889 46892 401f09 11 API calls 46889->46892 46893 40f23a 46890->46893 46891 40f1e1 46894 401f13 28 API calls 46891->46894 46895 40f272 46892->46895 46904 43bb2c 40 API calls 46893->46904 46896 40f1ed 46894->46896 46897 40f27b SetProcessDEPPolicy 46895->46897 46898 40f27e CreateThread 46895->46898 46901 401f09 11 API calls 46896->46901 46897->46898 46899 40f293 CreateThread 46898->46899 46900 40f29f 46898->46900 48180 40f7e2 46898->48180 46899->46900 48207 412132 139 API calls 46899->48207 46902 40f2b4 46900->46902 46903 40f2a8 CreateThread 46900->46903 46905 40f1f6 CreateThread 46901->46905 46907 40f307 46902->46907 46909 402093 28 API calls 46902->46909 46903->46902 48209 412716 38 API calls ___scrt_fastfail 46903->48209 46906 40f247 46904->46906 46905->46872 48210 401be9 50 API calls 46905->48210 47354 40c19d 7 API calls 46906->47354 47165 41353a RegOpenKeyExA 46907->47165 46910 40f2d7 46909->46910 47355 4052fd 28 API calls 46910->47355 46915 40f328 46917 41bcef 28 API calls 46915->46917 46919 40f338 46917->46919 47356 413656 31 API calls 46919->47356 46924 40f34e 46925 401f09 11 API calls 46924->46925 46928 40f359 46925->46928 46926 40f381 DeleteFileW 46927 40f388 46926->46927 46926->46928 46927->46735 46928->46735 46928->46926 46929 40f36f Sleep 46928->46929 46929->46928 46930->46608 46931->46612 46932->46619 46933->46615 46934->46625 46935->46626 46936->46628 46937->46631 46938->46635 46939->46637 46940->46640 46941->46638 46943 434bb8 GetStartupInfoW 46942->46943 46943->46646 46945 44f0eb 46944->46945 46946 44f0e2 46944->46946 46945->46649 46949 44efd8 49 API calls 4 library calls 46946->46949 46948->46649 46949->46945 46951 41cc20 LoadLibraryA GetProcAddress 46950->46951 46952 41cc10 GetModuleHandleA GetProcAddress 46950->46952 46953 41cc49 44 API calls 46951->46953 46954 41cc39 LoadLibraryA GetProcAddress 46951->46954 46952->46951 46953->46654 46954->46953 47359 41b539 FindResourceA 46955->47359 46959 40f428 ctype 47369 4020b7 46959->47369 46962 401fe2 28 API calls 46963 40f44e 46962->46963 46964 401fd8 11 API calls 46963->46964 46965 40f457 46964->46965 46966 43bda0 new 21 API calls 46965->46966 46967 40f468 ctype 46966->46967 47375 406e13 46967->47375 46969 40f49b 46969->46656 46971 40210c 46970->46971 46972 4023ce 11 API calls 46971->46972 46973 402126 46972->46973 46974 402569 28 API calls 46973->46974 46975 402134 46974->46975 46975->46659 47429 4020df 46976->47429 46978 41bf2f 46979 401fd8 11 API calls 46978->46979 46980 41bf61 46979->46980 46982 401fd8 11 API calls 46980->46982 46981 41bf31 47435 4041a2 28 API calls 46981->47435 46984 41bf69 46982->46984 46987 401fd8 11 API calls 46984->46987 46986 41bf3d 46988 401fe2 28 API calls 46986->46988 46990 40ea5f 46987->46990 46991 41bf46 46988->46991 46989 401fe2 28 API calls 46997 41bebf 46989->46997 46998 40fb52 46990->46998 46992 401fd8 11 API calls 46991->46992 46994 41bf4e 46992->46994 46993 401fd8 11 API calls 46993->46997 47436 41cec5 28 API calls 46994->47436 46997->46978 46997->46981 46997->46989 46997->46993 47433 4041a2 28 API calls 46997->47433 47434 41cec5 28 API calls 46997->47434 46999 40fb5e 46998->46999 47001 40fb65 46998->47001 47437 402163 11 API calls 46999->47437 47001->46664 47003 402163 47002->47003 47004 40219f 47003->47004 47438 402730 11 API calls 47003->47438 47004->46666 47006 402184 47439 402712 11 API calls std::_Deallocate 47006->47439 47009 401e6d 47008->47009 47011 401e75 47009->47011 47440 402158 22 API calls 47009->47440 47011->46672 47014 4020df 11 API calls 47013->47014 47015 40532a 47014->47015 47441 4032a0 47015->47441 47017 405346 47017->46679 47445 4051ef 47018->47445 47020 406391 47449 402055 47020->47449 47023 401fe2 47024 401ff1 47023->47024 47031 402039 47023->47031 47025 4023ce 11 API calls 47024->47025 47026 401ffa 47025->47026 47027 402015 47026->47027 47028 40203c 47026->47028 47481 403098 28 API calls 47027->47481 47029 40267a 11 API calls 47028->47029 47029->47031 47032 401fd8 47031->47032 47033 4023ce 11 API calls 47032->47033 47034 401fe1 47033->47034 47034->46691 47036 401fd2 47035->47036 47037 401fc9 47035->47037 47036->46697 47482 4025e0 28 API calls 47037->47482 47483 401fab 47039->47483 47041 40d0ae CreateMutexA GetLastError 47041->46713 47484 41c048 47042->47484 47047 401fe2 28 API calls 47048 41b390 47047->47048 47049 401fd8 11 API calls 47048->47049 47050 41b398 47049->47050 47051 4135e1 31 API calls 47050->47051 47053 41b3ee 47050->47053 47052 41b3c1 47051->47052 47054 41b3cc StrToIntA 47052->47054 47053->46720 47055 41b3e3 47054->47055 47056 41b3da 47054->47056 47058 401fd8 11 API calls 47055->47058 47493 41cffa 22 API calls 47056->47493 47058->47053 47060 407765 47059->47060 47061 413584 3 API calls 47060->47061 47062 40776c 47061->47062 47062->46730 47062->46731 47064 41bd03 47063->47064 47494 40b93f 47064->47494 47066 41bd0b 47066->46748 47068 401f22 47067->47068 47075 401f6a 47067->47075 47069 402252 11 API calls 47068->47069 47070 401f2b 47069->47070 47071 401f6d 47070->47071 47073 401f46 47070->47073 47527 402336 47071->47527 47526 40305c 28 API calls 47073->47526 47076 401f09 47075->47076 47077 402252 11 API calls 47076->47077 47078 401f12 47077->47078 47078->46759 47080 4139a0 47079->47080 47081 406e13 28 API calls 47080->47081 47082 4139b5 47081->47082 47083 4020f6 28 API calls 47082->47083 47084 4139c5 47083->47084 47085 4137aa 14 API calls 47084->47085 47086 4139cf 47085->47086 47087 401fd8 11 API calls 47086->47087 47088 4139dc 47087->47088 47088->46809 47090 40209b 47089->47090 47091 4023ce 11 API calls 47090->47091 47092 4020a6 47091->47092 47531 4024ed 47092->47531 47096 4137fa 47095->47096 47098 4137c3 47095->47098 47097 401fd8 11 API calls 47096->47097 47099 40efd9 47097->47099 47100 4137d5 RegSetValueExA RegCloseKey 47098->47100 47099->46810 47100->47096 47102 43bb45 _swprintf 47101->47102 47535 43ae83 47102->47535 47104 40eff2 47104->46817 47104->46818 47106 41b631 47105->47106 47107 41b596 GetLocalTime 47105->47107 47108 401fd8 11 API calls 47106->47108 47109 40531e 28 API calls 47107->47109 47110 41b639 47108->47110 47111 41b5d8 47109->47111 47113 401fd8 11 API calls 47110->47113 47112 406383 28 API calls 47111->47112 47114 41b5e4 47112->47114 47115 40f048 47113->47115 47563 402f10 47114->47563 47115->46834 47118 406383 28 API calls 47119 41b5fc 47118->47119 47568 40723b 77 API calls 47119->47568 47121 41b60a 47122 401fd8 11 API calls 47121->47122 47123 41b616 47122->47123 47124 401fd8 11 API calls 47123->47124 47125 41b61f 47124->47125 47126 401fd8 11 API calls 47125->47126 47127 41b628 47126->47127 47128 401fd8 11 API calls 47127->47128 47128->47106 47130 409e3d _wcslen 47129->47130 47131 409e48 47130->47131 47132 409e5f 47130->47132 47133 40da6f 32 API calls 47131->47133 47134 40da6f 32 API calls 47132->47134 47135 409e50 47133->47135 47136 409e67 47134->47136 47137 401f13 28 API calls 47135->47137 47138 401f13 28 API calls 47136->47138 47153 409e5a 47137->47153 47139 409e75 47138->47139 47140 401f09 11 API calls 47139->47140 47142 409e7d 47140->47142 47141 401f09 11 API calls 47143 409eb4 47141->47143 47587 409196 28 API calls 47142->47587 47572 40a144 47143->47572 47146 409e8f 47588 403014 47146->47588 47150 401f13 28 API calls 47151 409ea4 47150->47151 47152 401f09 11 API calls 47151->47152 47152->47153 47153->47141 47792 40417e 47154->47792 47159 403014 28 API calls 47160 41b703 47159->47160 47161 401f09 11 API calls 47160->47161 47162 41b70c 47161->47162 47163 401f09 11 API calls 47162->47163 47164 40f25e 47163->47164 47164->46887 47166 41355b RegQueryValueExA RegCloseKey 47165->47166 47167 40f31f 47165->47167 47166->47167 47167->46760 47167->46915 47169 40f3cd 47168->47169 47170 413a7a RegDeleteValueW 47168->47170 47169->46754 47170->47169 47172 40dd96 47171->47172 47173 41353a 3 API calls 47172->47173 47174 40dd9d 47173->47174 47175 40ddbc 47174->47175 47884 401707 47174->47884 47179 414f65 47175->47179 47177 40ddaa 47887 4138b2 RegCreateKeyA 47177->47887 47180 4020df 11 API calls 47179->47180 47181 414f79 47180->47181 47901 41b944 47181->47901 47184 4020df 11 API calls 47185 414f8f 47184->47185 47186 401e65 22 API calls 47185->47186 47187 414f9d 47186->47187 47188 43bb2c 40 API calls 47187->47188 47189 414faa 47188->47189 47190 414fbc 47189->47190 47191 414faf Sleep 47189->47191 47192 402093 28 API calls 47190->47192 47191->47190 47193 414fcb 47192->47193 47194 401e65 22 API calls 47193->47194 47195 414fd4 47194->47195 47196 4020f6 28 API calls 47195->47196 47197 414fdf 47196->47197 47198 41beac 28 API calls 47197->47198 47199 414fe7 47198->47199 47905 40489e WSAStartup 47199->47905 47201 414ff1 47202 401e65 22 API calls 47201->47202 47203 414ffa 47202->47203 47204 401e65 22 API calls 47203->47204 47229 415079 47203->47229 47205 415013 47204->47205 47206 401e65 22 API calls 47205->47206 47207 415024 47206->47207 47210 401e65 22 API calls 47207->47210 47208 41beac 28 API calls 47208->47229 47209 401e65 22 API calls 47209->47229 47211 415035 47210->47211 47213 401e65 22 API calls 47211->47213 47212 406c59 28 API calls 47212->47229 47214 415046 47213->47214 47216 401e65 22 API calls 47214->47216 47215 401fe2 28 API calls 47215->47229 47217 415057 47216->47217 47218 401e65 22 API calls 47217->47218 47219 415069 47218->47219 48080 40473d 89 API calls 47219->48080 47221 402093 28 API calls 47221->47229 47222 41b580 80 API calls 47222->47229 47224 4151c7 WSAGetLastError 47911 41cb72 47224->47911 47229->47208 47229->47209 47229->47212 47229->47215 47229->47221 47229->47222 47229->47224 47232 40531e 28 API calls 47229->47232 47233 401e8d 11 API calls 47229->47233 47234 43bb2c 40 API calls 47229->47234 47235 406383 28 API calls 47229->47235 47239 409097 28 API calls 47229->47239 47240 441ed1 20 API calls 47229->47240 47241 4020f6 28 API calls 47229->47241 47242 413733 3 API calls 47229->47242 47243 4135e1 31 API calls 47229->47243 47244 40417e 28 API calls 47229->47244 47247 401e65 22 API calls 47229->47247 47251 41bc1f 28 API calls 47229->47251 47253 41bdaf 28 API calls 47229->47253 47256 402f10 28 API calls 47229->47256 47257 402ea1 28 API calls 47229->47257 47259 401fd8 11 API calls 47229->47259 47260 401f09 11 API calls 47229->47260 47262 415a6e 47229->47262 47264 415aac CreateThread 47229->47264 47906 414f24 47229->47906 47922 40482d 47229->47922 47929 404f51 47229->47929 47944 4048c8 connect 47229->47944 48004 41b871 47229->48004 48007 4145f8 47229->48007 48010 40ddc4 47229->48010 48016 41bcd3 47229->48016 48019 41bb77 GetLastInputInfo GetTickCount 47229->48019 48020 41bb27 47229->48020 48025 40f90c GetLocaleInfoA 47229->48025 48028 402f31 47229->48028 48033 404aa1 47229->48033 48048 404c10 47229->48048 48067 404e26 WaitForSingleObject 47229->48067 48081 4052fd 28 API calls 47229->48081 47232->47229 47233->47229 47236 415b0a Sleep 47234->47236 47235->47229 47236->47229 47239->47229 47240->47229 47241->47229 47242->47229 47243->47229 47244->47229 47248 415474 GetTickCount 47247->47248 47249 41bc1f 28 API calls 47248->47249 47249->47229 47251->47229 47253->47229 47256->47229 47257->47229 47259->47229 47260->47229 48082 40b08c 85 API calls 47262->48082 47264->47229 48170 41ada8 106 API calls 47264->48170 47265->46671 47266->46680 47267->46684 47270 4020df 11 API calls 47269->47270 47271 406c65 47270->47271 47272 4032a0 28 API calls 47271->47272 47273 406c82 47272->47273 47273->46705 47275 40ebdf 47274->47275 47276 4135ae RegQueryValueExA RegCloseKey 47274->47276 47275->46702 47275->46719 47276->47275 47277->46710 47278->46738 47279->46730 47280->46722 47281->46737 47283 401f86 11 API calls 47282->47283 47284 40da8b 47283->47284 47285 40dae0 47284->47285 47286 40daa1 47284->47286 47287 40daab 47284->47287 47290 41c048 2 API calls 47285->47290 47289 40dbd4 GetLongPathNameW 47286->47289 48171 41b645 29 API calls 47287->48171 47292 40417e 28 API calls 47289->47292 47293 40dae5 47290->47293 47291 40dab4 47296 401f13 28 API calls 47291->47296 47297 40dbe9 47292->47297 47294 40dae9 47293->47294 47295 40db3b 47293->47295 47299 40417e 28 API calls 47294->47299 47298 40417e 28 API calls 47295->47298 47300 40dabe 47296->47300 47301 40417e 28 API calls 47297->47301 47302 40db49 47298->47302 47303 40daf7 47299->47303 47306 401f09 11 API calls 47300->47306 47304 40dbf8 47301->47304 47309 40417e 28 API calls 47302->47309 47310 40417e 28 API calls 47303->47310 48174 40de0c 28 API calls 47304->48174 47306->47286 47307 40dc0b 48175 402fa5 28 API calls 47307->48175 47312 40db5f 47309->47312 47313 40db0d 47310->47313 47311 40dc16 48176 402fa5 28 API calls 47311->48176 48173 402fa5 28 API calls 47312->48173 48172 402fa5 28 API calls 47313->48172 47317 40dc20 47320 401f09 11 API calls 47317->47320 47318 40db6a 47321 401f13 28 API calls 47318->47321 47319 40db18 47322 401f13 28 API calls 47319->47322 47323 40dc2a 47320->47323 47324 40db75 47321->47324 47325 40db23 47322->47325 47326 401f09 11 API calls 47323->47326 47327 401f09 11 API calls 47324->47327 47328 401f09 11 API calls 47325->47328 47329 40dc33 47326->47329 47330 40db7e 47327->47330 47331 40db2c 47328->47331 47332 401f09 11 API calls 47329->47332 47333 401f09 11 API calls 47330->47333 47334 401f09 11 API calls 47331->47334 47335 40dc3c 47332->47335 47333->47300 47334->47300 47336 401f09 11 API calls 47335->47336 47337 40dc45 47336->47337 47338 401f09 11 API calls 47337->47338 47339 40dc4e 47338->47339 47339->46796 47340->46807 47341->46830 47343 413759 RegQueryValueExA RegCloseKey 47342->47343 47344 41377d 47342->47344 47343->47344 47344->46789 47345->46822 47348 434563 47346->47348 47347 43bda0 new 21 API calls 47347->47348 47348->47347 47349 40f10c 47348->47349 48177 443001 7 API calls 2 library calls 47348->48177 48178 434c99 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47348->48178 48179 4352fb RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47348->48179 47349->46860 47353->46891 47354->46879 47356->46924 47357->46729 47360 41b556 LoadResource LockResource SizeofResource 47359->47360 47361 40f419 47359->47361 47360->47361 47362 43bda0 47361->47362 47367 4461b8 __Getctype 47362->47367 47363 4461f6 47379 44062d 20 API calls __dosmaperr 47363->47379 47364 4461e1 RtlAllocateHeap 47366 4461f4 47364->47366 47364->47367 47366->46959 47367->47363 47367->47364 47378 443001 7 API calls 2 library calls 47367->47378 47370 4020bf 47369->47370 47380 4023ce 47370->47380 47372 4020ca 47384 40250a 47372->47384 47374 4020d9 47374->46962 47376 4020b7 28 API calls 47375->47376 47377 406e27 47376->47377 47377->46969 47378->47367 47379->47366 47381 402428 47380->47381 47382 4023d8 47380->47382 47381->47372 47382->47381 47391 4027a7 11 API calls std::_Deallocate 47382->47391 47385 40251a 47384->47385 47386 402520 47385->47386 47387 402535 47385->47387 47392 402569 47386->47392 47402 4028e8 47387->47402 47390 402533 47390->47374 47391->47381 47413 402888 47392->47413 47394 40257d 47395 402592 47394->47395 47396 4025a7 47394->47396 47418 402a34 22 API calls 47395->47418 47398 4028e8 28 API calls 47396->47398 47401 4025a5 47398->47401 47399 40259b 47419 4029da 22 API calls 47399->47419 47401->47390 47403 4028f1 47402->47403 47404 402953 47403->47404 47405 4028fb 47403->47405 47427 4028a4 22 API calls 47404->47427 47408 402904 47405->47408 47409 402917 47405->47409 47421 402cae 47408->47421 47411 402915 47409->47411 47412 4023ce 11 API calls 47409->47412 47411->47390 47412->47411 47414 402890 47413->47414 47415 402898 47414->47415 47420 402ca3 22 API calls 47414->47420 47415->47394 47418->47399 47419->47401 47422 402cb8 __EH_prolog 47421->47422 47428 402e54 22 API calls 47422->47428 47424 4023ce 11 API calls 47426 402d92 47424->47426 47425 402d24 47425->47424 47426->47411 47428->47425 47430 4020e7 47429->47430 47431 4023ce 11 API calls 47430->47431 47432 4020f2 47431->47432 47432->46997 47433->46997 47434->46997 47435->46986 47436->46978 47437->47001 47438->47006 47439->47004 47443 4032aa 47441->47443 47442 4032c9 47442->47017 47443->47442 47444 4028e8 28 API calls 47443->47444 47444->47442 47446 4051fb 47445->47446 47455 405274 47446->47455 47448 405208 47448->47020 47450 402061 47449->47450 47451 4023ce 11 API calls 47450->47451 47452 40207b 47451->47452 47477 40267a 47452->47477 47456 405282 47455->47456 47457 405288 47456->47457 47458 40529e 47456->47458 47466 4025f0 47457->47466 47459 4052f5 47458->47459 47460 4052b6 47458->47460 47475 4028a4 22 API calls 47459->47475 47464 4028e8 28 API calls 47460->47464 47465 40529c 47460->47465 47464->47465 47465->47448 47467 402888 22 API calls 47466->47467 47468 402602 47467->47468 47469 402672 47468->47469 47470 402629 47468->47470 47476 4028a4 22 API calls 47469->47476 47473 4028e8 28 API calls 47470->47473 47474 40263b 47470->47474 47473->47474 47474->47465 47478 40268b 47477->47478 47479 4023ce 11 API calls 47478->47479 47480 40208d 47479->47480 47480->47023 47481->47031 47482->47036 47485 41b362 47484->47485 47486 41c055 GetCurrentProcess IsWow64Process 47484->47486 47488 4135e1 RegOpenKeyExA 47485->47488 47486->47485 47487 41c06c 47486->47487 47487->47485 47489 41360f RegQueryValueExA RegCloseKey 47488->47489 47490 413639 47488->47490 47489->47490 47491 402093 28 API calls 47490->47491 47492 41364e 47491->47492 47492->47047 47493->47055 47495 40b947 47494->47495 47500 402252 47495->47500 47497 40b952 47504 40b967 47497->47504 47499 40b961 47499->47066 47501 4022ac 47500->47501 47502 40225c 47500->47502 47501->47497 47502->47501 47511 402779 11 API calls std::_Deallocate 47502->47511 47505 40b9a1 47504->47505 47506 40b973 47504->47506 47523 4028a4 22 API calls 47505->47523 47512 4027e6 47506->47512 47510 40b97d 47510->47499 47511->47501 47513 4027ef 47512->47513 47514 402851 47513->47514 47515 4027f9 47513->47515 47525 4028a4 22 API calls 47514->47525 47518 402802 47515->47518 47521 402815 47515->47521 47524 402aea 28 API calls __EH_prolog 47518->47524 47519 402813 47519->47510 47521->47519 47522 402252 11 API calls 47521->47522 47522->47519 47524->47519 47526->47075 47528 402347 47527->47528 47529 402252 11 API calls 47528->47529 47530 4023c7 47529->47530 47530->47075 47532 4024f9 47531->47532 47533 40250a 28 API calls 47532->47533 47534 4020b1 47533->47534 47534->46800 47551 43ba8a 47535->47551 47537 43aed0 47557 43a837 36 API calls 2 library calls 47537->47557 47539 43ae95 47539->47537 47540 43aeaa 47539->47540 47550 43aeaf ___std_exception_copy 47539->47550 47556 44062d 20 API calls __dosmaperr 47540->47556 47543 43aedc 47544 43af0b 47543->47544 47558 43bacf 40 API calls __Tolower 47543->47558 47547 43af77 47544->47547 47559 43ba36 20 API calls 2 library calls 47544->47559 47560 43ba36 20 API calls 2 library calls 47547->47560 47548 43b03e _swprintf 47548->47550 47561 44062d 20 API calls __dosmaperr 47548->47561 47550->47104 47552 43baa2 47551->47552 47553 43ba8f 47551->47553 47552->47539 47562 44062d 20 API calls __dosmaperr 47553->47562 47555 43ba94 ___std_exception_copy 47555->47539 47556->47550 47557->47543 47558->47543 47559->47547 47560->47548 47561->47550 47562->47555 47569 401fb0 47563->47569 47565 402f1e 47566 402055 11 API calls 47565->47566 47567 402f2d 47566->47567 47567->47118 47568->47121 47570 4025f0 28 API calls 47569->47570 47571 401fbd 47570->47571 47571->47565 47573 40a162 47572->47573 47574 413584 3 API calls 47573->47574 47575 40a169 47574->47575 47576 40a197 47575->47576 47577 40a17d 47575->47577 47593 409097 47576->47593 47578 40a182 47577->47578 47579 409ed6 47577->47579 47582 409097 28 API calls 47578->47582 47579->46853 47584 40a190 47582->47584 47621 40a268 29 API calls 47584->47621 47586 40a195 47586->47579 47587->47146 47769 403222 47588->47769 47590 403022 47773 403262 47590->47773 47594 4090ad 47593->47594 47595 402252 11 API calls 47594->47595 47596 4090c7 47595->47596 47622 404267 47596->47622 47598 4090d5 47599 40a1b4 47598->47599 47634 40b927 47599->47634 47602 40a205 47604 402093 28 API calls 47602->47604 47603 40a1dd 47605 402093 28 API calls 47603->47605 47606 40a210 47604->47606 47607 40a1e7 47605->47607 47608 402093 28 API calls 47606->47608 47609 41bcef 28 API calls 47607->47609 47611 40a21f 47608->47611 47610 40a1f5 47609->47610 47638 40b19f 31 API calls new 47610->47638 47613 41b580 80 API calls 47611->47613 47615 40a224 CreateThread 47613->47615 47614 40a1fc 47616 401fd8 11 API calls 47614->47616 47617 40a24b CreateThread 47615->47617 47618 40a23f CreateThread 47615->47618 47640 40a2b8 47615->47640 47616->47602 47619 401f09 11 API calls 47617->47619 47646 40a2c4 47617->47646 47618->47617 47643 40a2a2 47618->47643 47620 40a25f 47619->47620 47620->47579 47621->47586 47768 40a2ae 164 API calls 47621->47768 47623 402888 22 API calls 47622->47623 47624 40427b 47623->47624 47625 404290 47624->47625 47626 4042a5 47624->47626 47632 4042df 22 API calls 47625->47632 47627 4027e6 28 API calls 47626->47627 47631 4042a3 47627->47631 47629 404299 47633 402c48 22 API calls 47629->47633 47631->47598 47632->47629 47633->47631 47635 40b930 47634->47635 47636 40a1d2 47634->47636 47639 40b9a7 28 API calls 47635->47639 47636->47602 47636->47603 47638->47614 47639->47636 47649 40a761 47640->47649 47696 40a2f3 47643->47696 47726 40ad11 47646->47726 47650 40a776 Sleep 47649->47650 47670 40a6b0 47650->47670 47652 40a2c1 47653 40a7b6 CreateDirectoryW 47655 40a788 47653->47655 47654 40a7c7 GetFileAttributesW 47654->47655 47655->47650 47655->47652 47655->47653 47655->47654 47656 40a7de SetFileAttributesW 47655->47656 47657 40a829 47655->47657 47660 401e65 22 API calls 47655->47660 47683 41c482 47655->47683 47656->47655 47659 40a858 PathFileExistsW 47657->47659 47661 4020df 11 API calls 47657->47661 47662 4020b7 28 API calls 47657->47662 47664 40a961 SetFileAttributesW 47657->47664 47665 406e13 28 API calls 47657->47665 47666 401fe2 28 API calls 47657->47666 47667 401fd8 11 API calls 47657->47667 47669 401fd8 11 API calls 47657->47669 47693 41c516 32 API calls 47657->47693 47694 41c583 CreateFileW SetFilePointer CloseHandle WriteFile CloseHandle 47657->47694 47659->47657 47660->47655 47661->47657 47662->47657 47664->47655 47665->47657 47666->47657 47667->47657 47669->47655 47671 40a75d 47670->47671 47673 40a6c6 47670->47673 47671->47655 47672 40a6e5 CreateFileW 47672->47673 47674 40a6f3 GetFileSize 47672->47674 47673->47672 47675 40a728 CloseHandle 47673->47675 47676 40a73a 47673->47676 47677 40a716 47673->47677 47678 40a71d Sleep 47673->47678 47674->47673 47674->47675 47675->47673 47676->47671 47680 409097 28 API calls 47676->47680 47695 40b117 84 API calls 47677->47695 47678->47675 47681 40a756 47680->47681 47682 40a1b4 125 API calls 47681->47682 47682->47671 47684 41c495 CreateFileW 47683->47684 47686 41c4d2 47684->47686 47687 41c4ce 47684->47687 47688 41c4f2 WriteFile 47686->47688 47689 41c4d9 SetFilePointer 47686->47689 47687->47655 47691 41c505 47688->47691 47692 41c507 CloseHandle 47688->47692 47689->47688 47690 41c4e9 CloseHandle 47689->47690 47690->47687 47691->47692 47692->47687 47693->47657 47694->47657 47695->47678 47697 40a30c GetModuleHandleA SetWindowsHookExA 47696->47697 47698 40a36e GetMessageA 47696->47698 47697->47698 47700 40a328 GetLastError 47697->47700 47699 40a380 TranslateMessage DispatchMessageA 47698->47699 47710 40a2ab 47698->47710 47699->47698 47699->47710 47711 41bc1f 47700->47711 47717 441ed1 47711->47717 47714 402093 28 API calls 47715 40a339 47714->47715 47716 4052fd 28 API calls 47715->47716 47718 441edd 47717->47718 47721 441ccd 47718->47721 47720 41bc43 47720->47714 47722 441ce4 47721->47722 47724 441d1b ___std_exception_copy 47722->47724 47725 44062d 20 API calls __dosmaperr 47722->47725 47724->47720 47725->47724 47733 40ad1f 47726->47733 47727 40a2cd 47728 40ad79 Sleep GetForegroundWindow GetWindowTextLengthW 47729 40b93f 28 API calls 47728->47729 47729->47733 47733->47727 47733->47728 47735 41bb77 GetLastInputInfo GetTickCount 47733->47735 47736 40adbf GetWindowTextW 47733->47736 47738 401f09 11 API calls 47733->47738 47739 40af17 47733->47739 47740 40b927 28 API calls 47733->47740 47742 40ae84 Sleep 47733->47742 47743 441ed1 20 API calls 47733->47743 47745 402093 28 API calls 47733->47745 47749 40ae0c 47733->47749 47750 406383 28 API calls 47733->47750 47752 403014 28 API calls 47733->47752 47753 41bcef 28 API calls 47733->47753 47754 40a671 12 API calls 47733->47754 47755 401fd8 11 API calls 47733->47755 47756 43445a EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait __Init_thread_footer 47733->47756 47757 401f86 47733->47757 47761 434801 23 API calls __onexit 47733->47761 47762 43441b SetEvent ResetEvent EnterCriticalSection LeaveCriticalSection __Init_thread_footer 47733->47762 47763 40907f 28 API calls 47733->47763 47765 40b9b7 28 API calls 47733->47765 47766 40b783 40 API calls 2 library calls 47733->47766 47767 4052fd 28 API calls 47733->47767 47735->47733 47736->47733 47738->47733 47741 401f09 11 API calls 47739->47741 47740->47733 47741->47727 47742->47733 47743->47733 47745->47733 47747 409097 28 API calls 47747->47749 47749->47733 47749->47747 47764 40b19f 31 API calls new 47749->47764 47750->47733 47752->47733 47753->47733 47754->47733 47755->47733 47758 401f8e 47757->47758 47759 402252 11 API calls 47758->47759 47760 401f99 47759->47760 47760->47733 47761->47733 47762->47733 47763->47733 47764->47749 47765->47733 47766->47733 47770 40322e 47769->47770 47779 403618 47770->47779 47772 40323b 47772->47590 47774 40326e 47773->47774 47775 402252 11 API calls 47774->47775 47776 403288 47775->47776 47777 402336 11 API calls 47776->47777 47778 403031 47777->47778 47778->47150 47780 403626 47779->47780 47781 403644 47780->47781 47782 40362c 47780->47782 47784 40365c 47781->47784 47785 40369e 47781->47785 47790 4036a6 28 API calls 47782->47790 47787 4027e6 28 API calls 47784->47787 47789 403642 47784->47789 47791 4028a4 22 API calls 47785->47791 47787->47789 47789->47772 47790->47789 47793 404186 47792->47793 47794 402252 11 API calls 47793->47794 47795 404191 47794->47795 47803 4041bc 47795->47803 47798 4042fc 47814 404353 47798->47814 47800 40430a 47801 403262 11 API calls 47800->47801 47802 404319 47801->47802 47802->47159 47804 4041c8 47803->47804 47807 4041d9 47804->47807 47806 40419c 47806->47798 47808 4041e9 47807->47808 47809 404206 47808->47809 47811 4041ef 47808->47811 47810 4027e6 28 API calls 47809->47810 47813 404204 47810->47813 47812 404267 28 API calls 47811->47812 47812->47813 47813->47806 47815 40435f 47814->47815 47818 404371 47815->47818 47817 40436d 47817->47800 47819 40437f 47818->47819 47820 404385 47819->47820 47821 40439e 47819->47821 47882 4034e6 28 API calls 47820->47882 47822 402888 22 API calls 47821->47822 47823 4043a6 47822->47823 47825 404419 47823->47825 47826 4043bf 47823->47826 47883 4028a4 22 API calls 47825->47883 47828 4027e6 28 API calls 47826->47828 47831 40439c 47826->47831 47828->47831 47831->47817 47882->47831 47890 43ab1a 47884->47890 47888 4138ca RegSetValueExA RegCloseKey 47887->47888 47889 4138f4 47887->47889 47888->47889 47889->47175 47893 43aa9b 47890->47893 47892 40170d 47892->47177 47894 43aaaa 47893->47894 47895 43aabe 47893->47895 47899 44062d 20 API calls __dosmaperr 47894->47899 47897 43aaaf __alldvrm ___std_exception_copy 47895->47897 47900 4489d7 11 API calls 2 library calls 47895->47900 47897->47892 47899->47897 47900->47897 47904 41b98a ctype ___scrt_fastfail 47901->47904 47902 402093 28 API calls 47903 414f84 47902->47903 47903->47184 47904->47902 47905->47201 47907 414f33 47906->47907 47908 414f3d getaddrinfo WSASetLastError 47906->47908 48083 414dc1 29 API calls ___std_exception_copy 47907->48083 47908->47229 47910 414f38 47910->47908 47912 4020df 11 API calls 47911->47912 47913 41cb86 FormatMessageA 47912->47913 47914 41cbb2 47913->47914 47915 41cba4 47913->47915 47918 41cbbd LocalFree 47914->47918 47916 402093 28 API calls 47915->47916 47917 41cbb0 47916->47917 47920 401fd8 11 API calls 47917->47920 47919 402055 11 API calls 47918->47919 47919->47917 47921 41cbd9 47920->47921 47921->47229 47923 404846 socket 47922->47923 47924 404839 47922->47924 47926 404860 CreateEventW 47923->47926 47927 404842 47923->47927 48084 40489e WSAStartup 47924->48084 47926->47229 47927->47229 47928 40483e 47928->47923 47928->47927 47930 404f65 47929->47930 47931 404fea 47929->47931 47932 404f6e 47930->47932 47933 404fc0 CreateEventA CreateThread 47930->47933 47934 404f7d GetLocalTime 47930->47934 47931->47229 47932->47933 47933->47931 48086 405150 47933->48086 47935 41bc1f 28 API calls 47934->47935 47936 404f91 47935->47936 48085 4052fd 28 API calls 47936->48085 47945 404a1b 47944->47945 47946 4048ee 47944->47946 47947 40497e 47945->47947 47948 404a21 WSAGetLastError 47945->47948 47946->47947 47949 404923 47946->47949 47952 40531e 28 API calls 47946->47952 47947->47229 47948->47947 47950 404a31 47948->47950 48090 420cf1 27 API calls 47949->48090 47953 404932 47950->47953 47954 404a36 47950->47954 47957 40490f 47952->47957 47960 402093 28 API calls 47953->47960 47955 41cb72 30 API calls 47954->47955 47958 404a40 47955->47958 47956 40492b 47956->47953 47959 404941 47956->47959 47961 402093 28 API calls 47957->47961 48095 4052fd 28 API calls 47958->48095 47969 404950 47959->47969 47970 404987 47959->47970 47964 404a80 47960->47964 47962 40491e 47961->47962 47965 41b580 80 API calls 47962->47965 47967 402093 28 API calls 47964->47967 47965->47949 47971 404a8f 47967->47971 47975 402093 28 API calls 47969->47975 48092 421ad1 54 API calls 47970->48092 47972 41b580 80 API calls 47971->47972 47972->47947 47978 40495f 47975->47978 47977 40498f 47980 4049c4 47977->47980 47981 404994 47977->47981 47982 402093 28 API calls 47978->47982 48094 420e97 28 API calls 47980->48094 47985 402093 28 API calls 47981->47985 47986 40496e 47982->47986 47988 4049a3 47985->47988 47989 41b580 80 API calls 47986->47989 47987 4049cc 47991 4049f9 CreateEventW CreateEventW 47987->47991 47993 402093 28 API calls 47987->47993 47992 402093 28 API calls 47988->47992 47990 404973 47989->47990 48091 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47990->48091 47991->47947 47994 4049b2 47992->47994 47996 4049e2 47993->47996 47997 41b580 80 API calls 47994->47997 47998 402093 28 API calls 47996->47998 47999 4049b7 47997->47999 48000 4049f1 47998->48000 48093 421143 52 API calls 47999->48093 48002 41b580 80 API calls 48000->48002 48003 4049f6 48002->48003 48003->47991 48096 41b847 GlobalMemoryStatusEx 48004->48096 48006 41b886 48006->47229 48097 4145bb 48007->48097 48011 40dde0 48010->48011 48012 41353a 3 API calls 48011->48012 48014 40dde7 48012->48014 48013 40ddff 48013->47229 48014->48013 48015 413584 3 API calls 48014->48015 48015->48013 48017 4020b7 28 API calls 48016->48017 48018 41bce8 48017->48018 48018->47229 48019->47229 48021 436f10 ___scrt_fastfail 48020->48021 48022 41bb46 GetForegroundWindow GetWindowTextW 48021->48022 48023 40417e 28 API calls 48022->48023 48024 41bb70 48023->48024 48024->47229 48026 402093 28 API calls 48025->48026 48027 40f931 48026->48027 48027->47229 48029 4020df 11 API calls 48028->48029 48030 402f3d 48029->48030 48031 4032a0 28 API calls 48030->48031 48032 402f59 48031->48032 48032->47229 48034 404ab4 48033->48034 48135 40520c 48034->48135 48036 404ac9 ctype 48037 404b40 WaitForSingleObject 48036->48037 48038 404b20 48036->48038 48040 404b56 48037->48040 48039 404b32 send 48038->48039 48041 404b7b 48039->48041 48141 4210cb 54 API calls 48040->48141 48044 401fd8 11 API calls 48041->48044 48043 404b69 SetEvent 48043->48041 48045 404b83 48044->48045 48046 401fd8 11 API calls 48045->48046 48047 404b8b 48046->48047 48047->47229 48049 4020df 11 API calls 48048->48049 48050 404c27 48049->48050 48051 4020df 11 API calls 48050->48051 48061 404c30 48051->48061 48052 43bda0 new 21 API calls 48052->48061 48054 4020b7 28 API calls 48054->48061 48055 404ca1 48057 404e26 99 API calls 48055->48057 48056 401fe2 28 API calls 48056->48061 48058 404ca8 48057->48058 48060 401fd8 11 API calls 48058->48060 48059 401fd8 11 API calls 48059->48061 48062 404cb1 48060->48062 48061->48052 48061->48054 48061->48055 48061->48056 48061->48059 48064 404c84 48061->48064 48159 404b96 48061->48159 48063 401fd8 11 API calls 48062->48063 48065 404cba 48063->48065 48165 404cc3 32 API calls 48064->48165 48065->47229 48068 404e40 SetEvent CloseHandle 48067->48068 48069 404e57 closesocket 48067->48069 48070 404ed8 48068->48070 48071 404e64 48069->48071 48070->47229 48072 404e7a 48071->48072 48167 4050e4 84 API calls 48071->48167 48074 404e8c WaitForSingleObject 48072->48074 48075 404ece SetEvent CloseHandle 48072->48075 48168 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48074->48168 48075->48070 48077 404e9b SetEvent WaitForSingleObject 48169 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48077->48169 48079 404eb3 SetEvent CloseHandle CloseHandle 48079->48075 48080->47229 48082->47229 48083->47910 48084->47928 48089 40515c 102 API calls 48086->48089 48088 405159 48089->48088 48090->47956 48091->47947 48092->47977 48093->47990 48094->47987 48096->48006 48100 41458e 48097->48100 48101 4145a3 ___scrt_initialize_default_local_stdio_options 48100->48101 48104 43f7ed 48101->48104 48107 43c540 48104->48107 48108 43c580 48107->48108 48109 43c568 48107->48109 48108->48109 48111 43c588 48108->48111 48129 44062d 20 API calls __dosmaperr 48109->48129 48130 43a837 36 API calls 2 library calls 48111->48130 48112 43c56d ___std_exception_copy 48122 43502b 48112->48122 48114 43c598 48131 43ccc6 20 API calls 2 library calls 48114->48131 48117 43c610 48132 43d334 51 API calls 3 library calls 48117->48132 48118 4145b1 48118->47229 48121 43c61b 48133 43cd30 20 API calls _free 48121->48133 48123 435036 IsProcessorFeaturePresent 48122->48123 48124 435034 48122->48124 48126 435078 48123->48126 48124->48118 48134 43503c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 48126->48134 48128 43515b 48128->48118 48129->48112 48130->48114 48131->48117 48132->48121 48133->48112 48134->48128 48136 405214 48135->48136 48137 4023ce 11 API calls 48136->48137 48138 40521f 48137->48138 48142 405234 48138->48142 48140 40522e 48140->48036 48141->48043 48143 405240 48142->48143 48144 40526e 48142->48144 48146 4028e8 28 API calls 48143->48146 48158 4028a4 22 API calls 48144->48158 48147 40524a 48146->48147 48147->48140 48160 404ba0 WaitForSingleObject 48159->48160 48161 404bcd recv 48159->48161 48166 421107 54 API calls 48160->48166 48163 404be0 48161->48163 48163->48061 48164 404bbc SetEvent 48164->48163 48165->48061 48166->48164 48167->48072 48168->48077 48169->48079 48171->47291 48172->47319 48173->47318 48174->47307 48175->47311 48176->47317 48177->47348 48182 40f7fd 48180->48182 48181 413584 3 API calls 48181->48182 48182->48181 48183 40f8a1 48182->48183 48185 40f891 Sleep 48182->48185 48202 40f82f 48182->48202 48186 409097 28 API calls 48183->48186 48184 409097 28 API calls 48184->48202 48185->48182 48189 40f8ac 48186->48189 48188 41bcef 28 API calls 48188->48202 48190 41bcef 28 API calls 48189->48190 48191 40f8b8 48190->48191 48215 41384f 14 API calls 48191->48215 48194 401f09 11 API calls 48194->48202 48195 40f8cb 48196 401f09 11 API calls 48195->48196 48198 40f8d7 48196->48198 48197 402093 28 API calls 48197->48202 48199 402093 28 API calls 48198->48199 48200 40f8e8 48199->48200 48203 4137aa 14 API calls 48200->48203 48201 4137aa 14 API calls 48201->48202 48202->48184 48202->48185 48202->48188 48202->48194 48202->48197 48202->48201 48213 40d0d1 112 API calls ___scrt_fastfail 48202->48213 48214 41384f 14 API calls 48202->48214 48204 40f8fb 48203->48204 48216 41288b TerminateProcess WaitForSingleObject 48204->48216 48206 40f903 ExitProcess 48217 412829 62 API calls 48207->48217 48214->48202 48215->48195 48216->48206 48218 40165e 48219 401666 48218->48219 48221 401669 48218->48221 48220 4016a8 48222 43455e new 22 API calls 48220->48222 48221->48220 48223 401696 48221->48223 48224 40169c 48222->48224 48225 43455e new 22 API calls 48223->48225 48225->48224

                                    Executed Functions

                                    Function 0041CBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                    • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                    • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                    • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                    • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                    • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                    • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                    • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                    • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                    • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                    • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                    • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                    • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                    • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                    • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD17
                                    • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040EA1C), ref: 0041CD28
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD2B
                                    • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040EA1C), ref: 0041CD38
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD3B
                                    • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040EA1C), ref: 0041CD48
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD4B
                                    • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040EA1C), ref: 0041CD5D
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD60
                                    • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040EA1C), ref: 0041CD6D
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD70
                                    • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040EA1C), ref: 0041CD81
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD84
                                    • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040EA1C), ref: 0041CD95
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CD98
                                    • LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,?,?,0040EA1C), ref: 0041CDAA
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CDAD
                                    • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040EA1C), ref: 0041CDBA
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CDBD
                                    • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040EA1C), ref: 0041CDCA
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CDCD
                                    • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040EA1C), ref: 0041CDDA
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041CDDD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad$HandleModule
                                    • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                    • API String ID: 4236061018-3687161714
                                    • Opcode ID: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                    • Instruction ID: 87b5fa294a9840a4da0a94e675c49188b16ea4214af7843bc20054d8537ab592
                                    • Opcode Fuzzy Hash: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                    • Instruction Fuzzy Hash: 06419AA0E8035879DA107BB65D8DE3B3E5CD9857953614837B05C93550FBBCDC408EAE
                                    Function 0040EA00 Relevance: 90.0, APIs: 15, Strings: 36, Instructions: 795COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 5 40ea00-40ea82 call 41cbe1 GetModuleFileNameW call 40f3fe call 4020f6 * 2 call 41beac call 40fb52 call 401e8d call 43fd50 22 40ea84-40eac9 call 40fbee call 401e65 call 401fab call 410f72 call 40fb9f call 40f3eb 5->22 23 40eace-40eb96 call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->23 49 40ef2d-40ef3e call 401fd8 22->49 69 40eb98-40ebe3 call 406c59 call 401fe2 call 401fd8 call 401fab call 413584 23->69 70 40ebe9-40ec04 call 401e65 call 40b9f8 23->70 69->70 101 40f38a-40f3a5 call 401fab call 4139e4 call 4124b0 69->101 80 40ec06-40ec25 call 401fab call 413584 70->80 81 40ec3e-40ec45 call 40d0a4 70->81 80->81 97 40ec27-40ec3d call 401fab call 4139e4 80->97 89 40ec47-40ec49 81->89 90 40ec4e-40ec55 81->90 94 40ef2c 89->94 95 40ec57 90->95 96 40ec59-40ec65 call 41b354 90->96 94->49 95->96 103 40ec67-40ec69 96->103 104 40ec6e-40ec72 96->104 97->81 126 40f3aa-40f3db call 41bcef call 401f04 call 413a5e call 401f09 * 2 101->126 103->104 107 40ecb1-40ecc4 call 401e65 call 401fab 104->107 108 40ec74 call 407751 104->108 127 40ecc6 call 407790 107->127 128 40eccb-40ed53 call 401e65 call 41bcef call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 107->128 117 40ec79-40ec7b 108->117 120 40ec87-40ec9a call 401e65 call 401fab 117->120 121 40ec7d-40ec82 call 407773 call 40729b 117->121 120->107 140 40ec9c-40eca2 120->140 121->120 157 40f3e0-40f3ea call 40dd7d call 414f65 126->157 127->128 177 40ed55-40ed6e call 401e65 call 401fab call 43bb56 128->177 178 40edbb-40edbf 128->178 140->107 143 40eca4-40ecaa 140->143 143->107 147 40ecac call 40729b 143->147 147->107 177->178 205 40ed70-40edb6 call 401e65 call 401fab call 401e65 call 401fab call 40da6f call 401f13 call 401f09 177->205 180 40ef41-40efa1 call 436f10 call 40247c call 401fab * 2 call 413733 call 409092 178->180 181 40edc5-40edcc 178->181 236 40efa6-40effa call 401e65 call 401fab call 402093 call 401fab call 4137aa call 401e65 call 401fab call 43bb2c 180->236 184 40ee4a-40ee54 call 409092 181->184 185 40edce-40ee48 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40ce34 181->185 191 40ee59-40ee7d call 40247c call 434829 184->191 185->191 212 40ee8c 191->212 213 40ee7f-40ee8a call 436f10 191->213 205->178 218 40ee8e-40eed9 call 401f04 call 43f859 call 40247c call 401fab call 40247c call 401fab call 413982 212->218 213->218 273 40eede-40ef03 call 434832 call 401e65 call 40b9f8 218->273 287 40f017-40f019 236->287 288 40effc 236->288 273->236 286 40ef09-40ef28 call 401e65 call 41bcef call 40f4af 273->286 286->236 306 40ef2a 286->306 289 40f01b-40f01d 287->289 290 40f01f 287->290 292 40effe-40f015 call 41ce2c CreateThread 288->292 289->292 293 40f025-40f101 call 402093 * 2 call 41b580 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409e1f call 401e65 call 401fab 290->293 292->293 344 40f103-40f13a call 43455e call 401e65 call 401fab CreateThread 293->344 345 40f13c 293->345 306->94 347 40f13e-40f156 call 401e65 call 401fab 344->347 345->347 357 40f194-40f1a7 call 401e65 call 401fab 347->357 358 40f158-40f18f call 43455e call 401e65 call 401fab CreateThread 347->358 368 40f207-40f21a call 401e65 call 401fab 357->368 369 40f1a9-40f202 call 401e65 call 401fab call 401e65 call 401fab call 40da23 call 401f13 call 401f09 CreateThread 357->369 358->357 379 40f255-40f279 call 41b69e call 401f13 call 401f09 368->379 380 40f21c-40f250 call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 40c19d 368->380 369->368 402 40f27b-40f27c SetProcessDEPPolicy 379->402 403 40f27e-40f291 CreateThread 379->403 380->379 402->403 404 40f293-40f29d CreateThread 403->404 405 40f29f-40f2a6 403->405 404->405 408 40f2b4-40f2bb 405->408 409 40f2a8-40f2b2 CreateThread 405->409 412 40f2c9 408->412 413 40f2bd-40f2c0 408->413 409->408 418 40f2ce-40f302 call 402093 call 4052fd call 402093 call 41b580 call 401fd8 412->418 415 40f2c2-40f2c7 413->415 416 40f307-40f31a call 401fab call 41353a 413->416 415->418 425 40f31f-40f322 416->425 418->416 425->157 427 40f328-40f368 call 41bcef call 401f04 call 413656 call 401f09 call 401f04 425->427 443 40f381-40f386 DeleteFileW 427->443 444 40f388 443->444 445 40f36a-40f36d 443->445 444->126 445->126 446 40f36f-40f37c Sleep call 401f04 445->446 446->443
                                    APIs
                                      • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                      • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                      • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                      • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                      • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                      • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                      • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                      • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                      • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                      • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                      • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                      • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                      • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                      • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                      • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                      • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe,00000104), ref: 0040EA29
                                      • Part of subcall function 00410F72: __EH_prolog.LIBCMT ref: 00410F77
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                    • String ID: ,aF$,aF$Access Level: $Administrator$C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe$Exe$Exe$Inj$PSG$Remcos Agent initialized$Rmc-RZH5WZ$Software\$User$dMG$del$del$exepath$h&y$licence$license_code.txt$xKy$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                    • API String ID: 2830904901-2577398134
                                    • Opcode ID: 2e4b8a036098daf9789f12e7942aef49aa4d5699890582e7bb7fe2fc6a0225af
                                    • Instruction ID: f870588dacc207cf398a21a9077505b2b75b96970711a81e27f166ce8512e3fa
                                    • Opcode Fuzzy Hash: 2e4b8a036098daf9789f12e7942aef49aa4d5699890582e7bb7fe2fc6a0225af
                                    • Instruction Fuzzy Hash: 9B32F960B043412BDA24B7729C57B7E26994F80748F50483FB9467B2E3EEBC8D45839E
                                    Function 0040A2F3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1277 40a2f3-40a30a 1278 40a30c-40a326 GetModuleHandleA SetWindowsHookExA 1277->1278 1279 40a36e-40a37e GetMessageA 1277->1279 1278->1279 1282 40a328-40a36c GetLastError call 41bc1f call 4052fd call 402093 call 41b580 call 401fd8 1278->1282 1280 40a380-40a398 TranslateMessage DispatchMessageA 1279->1280 1281 40a39a 1279->1281 1280->1279 1280->1281 1283 40a39c-40a3a1 1281->1283 1282->1283
                                    APIs
                                    • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A30E
                                    • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0040A31C
                                    • GetLastError.KERNEL32 ref: 0040A328
                                      • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A376
                                    • TranslateMessage.USER32(?), ref: 0040A385
                                    • DispatchMessageA.USER32(?), ref: 0040A390
                                    Strings
                                    • Keylogger initialization failure: error , xrefs: 0040A33C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                    • String ID: Keylogger initialization failure: error
                                    • API String ID: 3219506041-952744263
                                    • Opcode ID: 90b0715fe4a03c7950091ea493cf6ac8be3b9c9bd1286eec6a190886210d1988
                                    • Instruction ID: 8743f2250fb8cae6a99ae5fb3d4b34fe2baf279f6720e4878f05ffc9670b3ffc
                                    • Opcode Fuzzy Hash: 90b0715fe4a03c7950091ea493cf6ac8be3b9c9bd1286eec6a190886210d1988
                                    • Instruction Fuzzy Hash: 6011BF31510301EBC710BB769D0986B77ACEA95715B20097EFC82E22D1EB34C910CBAA
                                    Function 0040F7E2 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 00413584: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                      • Part of subcall function 00413584: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004752F0), ref: 004135C2
                                      • Part of subcall function 00413584: RegCloseKey.KERNEL32(?), ref: 004135CD
                                    • Sleep.KERNEL32(00000BB8), ref: 0040F896
                                    • ExitProcess.KERNEL32 ref: 0040F905
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseExitOpenProcessQuerySleepValue
                                    • String ID: 5.1.2 Pro$h&y$override$pth_unenc
                                    • API String ID: 2281282204-793420385
                                    • Opcode ID: 63a879446c8ff419ef4e70c844bd481c765728b91b26e4cfc9b1ce748e39a5f9
                                    • Instruction ID: d275b5d15c9ff05a0ec0da3c9587874d7690dc7fa5d0ec02d6e8a4ede61593ab
                                    • Opcode Fuzzy Hash: 63a879446c8ff419ef4e70c844bd481c765728b91b26e4cfc9b1ce748e39a5f9
                                    • Instruction Fuzzy Hash: 5921E171B0420127D6087676885B6AE399A9B80708F50453FF409672D7FF7C8E0483AF
                                    Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1426 404f51-404f5f 1427 404f65-404f6c 1426->1427 1428 404fea 1426->1428 1430 404f74-404f7b 1427->1430 1431 404f6e-404f72 1427->1431 1429 404fec-404ff1 1428->1429 1432 404fc0-404fe8 CreateEventA CreateThread 1430->1432 1433 404f7d-404fbb GetLocalTime call 41bc1f call 4052fd call 402093 call 41b580 call 401fd8 1430->1433 1431->1432 1432->1429 1433->1432
                                    APIs
                                    • GetLocalTime.KERNEL32(?), ref: 00404F81
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FCD
                                    • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                                    Strings
                                    • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Create$EventLocalThreadTime
                                    • String ID: KeepAlive | Enabled | Timeout:
                                    • API String ID: 2532271599-1507639952
                                    • Opcode ID: d6bdf093f7aea2e5024bc4ba9810f3b5686ab9589db354a71a8a5fd0b8ad62b9
                                    • Instruction ID: 41fa32a9fb91b1633a7afb8999ae97baef60c60c8d6252053b050d354fdafbcf
                                    • Opcode Fuzzy Hash: d6bdf093f7aea2e5024bc4ba9810f3b5686ab9589db354a71a8a5fd0b8ad62b9
                                    • Instruction Fuzzy Hash: 82110A71800385BAC720A7779C0DEAB7FACDBD2714F04046FF54162291D6B89445CBBA
                                    Function 00404B96 Relevance: 4.5, APIs: 3, Instructions: 28synchronizationnetworkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
                                    • SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                    • recv.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404BDA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: EventObjectSingleWaitrecv
                                    • String ID:
                                    • API String ID: 311754179-0
                                    • Opcode ID: cdb06e8163b8322063f134be74ce7e1cf20e247c26aa7992d3e9e0113c183a83
                                    • Instruction ID: 0899ded2458b7d4720508400fe02e5f5257555b40415190a6d7bc1514cf1b529
                                    • Opcode Fuzzy Hash: cdb06e8163b8322063f134be74ce7e1cf20e247c26aa7992d3e9e0113c183a83
                                    • Instruction Fuzzy Hash: 53F05E36108212FFC7019F10EC09E0AFB62FB85721F10862AF510512B08771FC20DB95
                                    Function 0041B69E Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetComputerNameExW.KERNEL32(00000001,?,0000002B,004750E4), ref: 0041B6BB
                                    • GetUserNameW.ADVAPI32(?,0040F25E), ref: 0041B6D3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Name$ComputerUser
                                    • String ID:
                                    • API String ID: 4229901323-0
                                    • Opcode ID: 2a75debd1ac83804218ef8ff91a3dd31c7e5d47f43b5da7d436b4f8c80832694
                                    • Instruction ID: 8360233331794fbd8bccde093e114755ab2a7c2896376219b9d5f45c8fb32f7b
                                    • Opcode Fuzzy Hash: 2a75debd1ac83804218ef8ff91a3dd31c7e5d47f43b5da7d436b4f8c80832694
                                    • Instruction Fuzzy Hash: 90014F7190011CABCB01EBD1DC45EEDB7BCAF44309F10016AB505B21A1EFB46E88CBA8
                                    Function 0040F90C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00415537,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.2 Pro), ref: 0040F920
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: InfoLocale
                                    • String ID:
                                    • API String ID: 2299586839-0
                                    • Opcode ID: 2888965568e38a2ba7a5abe7093904758464576a93ba76aee1c710f175ee0f35
                                    • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                    • Opcode Fuzzy Hash: 2888965568e38a2ba7a5abe7093904758464576a93ba76aee1c710f175ee0f35
                                    • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                    Function 00414F65 Relevance: 55.1, APIs: 5, Strings: 26, Instructions: 809sleepnetworkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 448 414f65-414fad call 4020df call 41b944 call 4020df call 401e65 call 401fab call 43bb2c 461 414fbc-415008 call 402093 call 401e65 call 4020f6 call 41beac call 40489e call 401e65 call 40b9f8 448->461 462 414faf-414fb6 Sleep 448->462 477 41500a-415079 call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 461->477 478 41507c-415117 call 402093 call 401e65 call 4020f6 call 41beac call 401e65 * 2 call 406c59 call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 461->478 462->461 477->478 531 415127-41512e 478->531 532 415119-415125 478->532 533 415133-4151c5 call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414f24 531->533 532->533 560 415210-41521e call 40482d 533->560 561 4151c7-4151d2 WSAGetLastError call 41cb72 533->561 567 415220-415246 call 402093 * 2 call 41b580 560->567 568 41524b-415260 call 404f51 call 4048c8 560->568 564 4151d7-41520b call 4052fd call 402093 call 41b580 call 401fd8 561->564 584 415ade-415af0 call 404e26 call 4021fa 564->584 567->584 583 415266-4153b9 call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 4 call 41b871 call 4145f8 call 409097 call 441ed1 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 413733 568->583 568->584 648 4153bb-4153c8 call 405aa6 583->648 649 4153cd-4153f4 call 401fab call 4135e1 583->649 596 415af2-415b12 call 401e65 call 401fab call 43bb2c Sleep 584->596 597 415b18-415b20 call 401e8d 584->597 596->597 597->478 648->649 655 4153f6-4153f8 649->655 656 4153fb-415a45 call 40417e call 40ddc4 call 41bcd3 call 41bdaf call 41bc1f call 401e65 GetTickCount call 41bc1f call 41bb77 call 41bc1f * 2 call 41bb27 call 41bdaf * 5 call 40f90c call 41bdaf call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 call 404aa1 call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 649->656 655->656 901 415a4a-415a51 656->901 902 415a53-415a5a 901->902 903 415a65-415a6c 901->903 902->903 904 415a5c-415a5e 902->904 905 415a78-415aaa call 405a6b call 402093 * 2 call 41b580 903->905 906 415a6e-415a73 call 40b08c 903->906 904->903 917 415aac-415ab8 CreateThread 905->917 918 415abe-415ad9 call 401fd8 * 2 call 401f09 905->918 906->905 917->918 918->584
                                    APIs
                                    • Sleep.KERNEL32(00000000,00000029,004752F0,004750E4,00000000), ref: 00414FB6
                                    • WSAGetLastError.WS2_32(00000000,00000001), ref: 004151C7
                                    • Sleep.KERNEL32(00000000,00000002), ref: 00415B12
                                      • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep$ErrorLastLocalTime
                                    • String ID: | $%I64u$(1|$,aF$5.1.2 Pro$C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$PSG$Rmc-RZH5WZ$TLS Off$TLS On $dMG$h&y$hlight$name$xKy$NG$NG$PG$PG$PG
                                    • API String ID: 524882891-4044505293
                                    • Opcode ID: 5603afd721bca2b7231e97c667ce022fc2680217bfd9e4e68c67581408428808
                                    • Instruction ID: 9dea7478a43989413a8a7de35667e348ffff56bc780dedce428272fd6db975fd
                                    • Opcode Fuzzy Hash: 5603afd721bca2b7231e97c667ce022fc2680217bfd9e4e68c67581408428808
                                    • Instruction Fuzzy Hash: B8526C31A001155ACB18F732DD96AFEB3769F90348F5044BFE40A761E2EF781E858A9D
                                    Function 0040A761 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 163sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • Sleep.KERNEL32(00001388), ref: 0040A77B
                                      • Part of subcall function 0040A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                      • Part of subcall function 0040A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                      • Part of subcall function 0040A6B0: Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                      • Part of subcall function 0040A6B0: CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A7B7
                                    • GetFileAttributesW.KERNEL32(00000000), ref: 0040A7C8
                                    • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7DF
                                    • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A859
                                      • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                    • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A962
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                    • String ID: pz$xKy$xdF$PG$PG
                                    • API String ID: 3795512280-1940204396
                                    • Opcode ID: db686e10471e88e88e6c2a6410797b3bbe7a67903047043a717f9aa792139144
                                    • Instruction ID: 2a79d88b44a8fc0b04dcb000ea34af81e4c48788ca5147296d011aa32960a087
                                    • Opcode Fuzzy Hash: db686e10471e88e88e6c2a6410797b3bbe7a67903047043a717f9aa792139144
                                    • Instruction Fuzzy Hash: B6516E716043015ACB15BB72C866ABE77AA9F80349F00483FF646B71E2DF7C9D09865E
                                    Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1023 4048c8-4048e8 connect 1024 404a1b-404a1f 1023->1024 1025 4048ee-4048f1 1023->1025 1028 404a21-404a2f WSAGetLastError 1024->1028 1029 404a97 1024->1029 1026 404a17-404a19 1025->1026 1027 4048f7-4048fa 1025->1027 1030 404a99-404a9e 1026->1030 1031 404926-404930 call 420cf1 1027->1031 1032 4048fc-404923 call 40531e call 402093 call 41b580 1027->1032 1028->1029 1033 404a31-404a34 1028->1033 1029->1030 1043 404941-40494e call 420f20 1031->1043 1044 404932-40493c 1031->1044 1032->1031 1036 404a71-404a76 1033->1036 1037 404a36-404a6f call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 1033->1037 1040 404a7b-404a94 call 402093 * 2 call 41b580 1036->1040 1037->1029 1040->1029 1057 404950-404973 call 402093 * 2 call 41b580 1043->1057 1058 404987-404992 call 421ad1 1043->1058 1044->1040 1084 404976-404982 call 420d31 1057->1084 1069 4049c4-4049d1 call 420e97 1058->1069 1070 404994-4049c2 call 402093 * 2 call 41b580 call 421143 1058->1070 1081 4049d3-4049f6 call 402093 * 2 call 41b580 1069->1081 1082 4049f9-404a14 CreateEventW * 2 1069->1082 1070->1084 1081->1082 1082->1026 1084->1029
                                    APIs
                                    • connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                    • WSAGetLastError.WS2_32 ref: 00404A21
                                      • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                    • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                    • API String ID: 994465650-2151626615
                                    • Opcode ID: 5c0f1f7910a8b4d125b3fdd9be88a95e0497a1e925329f4287c4e3920d288485
                                    • Instruction ID: 8b7d3ad86a52f8452b0ebae4faff6649d271d562dba2871a89d137605d3bb54b
                                    • Opcode Fuzzy Hash: 5c0f1f7910a8b4d125b3fdd9be88a95e0497a1e925329f4287c4e3920d288485
                                    • Instruction Fuzzy Hash: CE41E8B57506017BC61877BB890B52E7A56AB81308B50017FEA0256AD3FA7D9C108BEF
                                    Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                    • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                    • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                    • closesocket.WS2_32(000000FF), ref: 00404E5A
                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                                    • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                                    • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBF
                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EC4
                                    • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                                    • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                    • String ID:
                                    • API String ID: 3658366068-0
                                    • Opcode ID: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                    • Instruction ID: 681aebbacbf541c1c6cd6dfca6fba55586e42b113d9ea1c0d4e3a90daa9851ad
                                    • Opcode Fuzzy Hash: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                    • Instruction Fuzzy Hash: DE21EA71154B04AFDB216B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB79B851DB58
                                    Function 0040AD11 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 0040AD73
                                    • Sleep.KERNEL32(000001F4), ref: 0040AD7E
                                    • GetForegroundWindow.USER32 ref: 0040AD84
                                    • GetWindowTextLengthW.USER32(00000000), ref: 0040AD8D
                                    • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040ADC1
                                    • Sleep.KERNEL32(000003E8), ref: 0040AE8F
                                      • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                    • String ID: [${ User has been idle for $ minutes }$]
                                    • API String ID: 911427763-3954389425
                                    • Opcode ID: 9c0ea1497b002db213ca3d4c258de7d47da5450525101b72f9826710761d16ec
                                    • Instruction ID: 479ab846abdc3ffa357cf8cfb056c4a9d7a1c57035fbb5610920680a3dc8d5cf
                                    • Opcode Fuzzy Hash: 9c0ea1497b002db213ca3d4c258de7d47da5450525101b72f9826710761d16ec
                                    • Instruction Fuzzy Hash: 1251E2716043419BD714FB22D856AAE7795AF84308F10093FF986A22E2EF7C9D44C69F
                                    Function 0040DA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1195 40da6f-40da94 call 401f86 1198 40da9a 1195->1198 1199 40dbbe-40dbe4 call 401f04 GetLongPathNameW call 40417e 1195->1199 1200 40dae0-40dae7 call 41c048 1198->1200 1201 40daa1-40daa6 1198->1201 1202 40db93-40db98 1198->1202 1203 40dad6-40dadb 1198->1203 1204 40dba9 1198->1204 1205 40db9a-40db9f call 43c11f 1198->1205 1206 40daab-40dab9 call 41b645 call 401f13 1198->1206 1207 40dacc-40dad1 1198->1207 1208 40db8c-40db91 1198->1208 1225 40dbe9-40dc56 call 40417e call 40de0c call 402fa5 * 2 call 401f09 * 5 1199->1225 1220 40dae9-40db39 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1200->1220 1221 40db3b-40db87 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1200->1221 1210 40dbae-40dbb3 call 43c11f 1201->1210 1202->1210 1203->1210 1204->1210 1215 40dba4-40dba7 1205->1215 1228 40dabe 1206->1228 1207->1210 1208->1210 1222 40dbb4-40dbb9 call 409092 1210->1222 1215->1204 1215->1222 1233 40dac2-40dac7 call 401f09 1220->1233 1221->1228 1222->1199 1228->1233 1233->1199
                                    APIs
                                    • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DBD5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LongNamePath
                                    • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                    • API String ID: 82841172-425784914
                                    • Opcode ID: 27b408779815cc004e99ecfd0e182e1062e96e4c42aa95a1860903710c88a7ad
                                    • Instruction ID: db29472287e64cad03ac4489520097095d7cef5d056ecb8d0020da3553efca3c
                                    • Opcode Fuzzy Hash: 27b408779815cc004e99ecfd0e182e1062e96e4c42aa95a1860903710c88a7ad
                                    • Instruction Fuzzy Hash: 0A4151715082019AC205F765DC96CAAB7B8AE90758F10053FB146B20E2FFBCAE4DC65B
                                    Function 0041C482 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1341 41c482-41c493 1342 41c495-41c498 1341->1342 1343 41c4ab-41c4b2 1341->1343 1344 41c4a1-41c4a9 1342->1344 1345 41c49a-41c49f 1342->1345 1346 41c4b3-41c4cc CreateFileW 1343->1346 1344->1346 1345->1346 1347 41c4d2-41c4d7 1346->1347 1348 41c4ce-41c4d0 1346->1348 1350 41c4f2-41c503 WriteFile 1347->1350 1351 41c4d9-41c4e7 SetFilePointer 1347->1351 1349 41c510-41c515 1348->1349 1353 41c505 1350->1353 1354 41c507-41c50e CloseHandle 1350->1354 1351->1350 1352 41c4e9-41c4f0 CloseHandle 1351->1352 1352->1348 1353->1354 1354->1349
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C4DE
                                    • CloseHandle.KERNEL32(00000000), ref: 0041C4EA
                                    • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C4FB
                                    • CloseHandle.KERNEL32(00000000), ref: 0041C508
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseHandle$CreatePointerWrite
                                    • String ID: xpF
                                    • API String ID: 1852769593-354647465
                                    • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                    • Instruction ID: 0233a984b642d2e84dd4fc2cab076f06cd7f632185dc4648213adf39284592b7
                                    • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                    • Instruction Fuzzy Hash: 6311E571288215BFE7104A24ACC8EBB739CEB46365F10862BF912D22D0C624DC418639
                                    Function 0041B354 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1355 41b354-41b3ab call 41c048 call 4135e1 call 401fe2 call 401fd8 call 406b1c 1366 41b3ad-41b3bc call 4135e1 1355->1366 1367 41b3ee-41b3f7 1355->1367 1371 41b3c1-41b3d8 call 401fab StrToIntA 1366->1371 1369 41b400 1367->1369 1370 41b3f9-41b3fe 1367->1370 1372 41b405-41b410 call 40537d 1369->1372 1370->1372 1377 41b3e6-41b3e9 call 401fd8 1371->1377 1378 41b3da-41b3e3 call 41cffa 1371->1378 1377->1367 1378->1377
                                    APIs
                                      • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                      • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                      • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                      • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                      • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                    • StrToIntA.SHLWAPI(00000000,0046CA08,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0041B3CD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CloseCurrentOpenQueryValueWow64
                                    • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                    • API String ID: 782494840-2070987746
                                    • Opcode ID: 8c19a994082f4321bdc384a8b48a1832129d6d8eaa349cc43c026258e8294c9e
                                    • Instruction ID: f33cb4008a08c387480eb48f471200dcc92f04aa72c22424ac0a9b44a4c1d04d
                                    • Opcode Fuzzy Hash: 8c19a994082f4321bdc384a8b48a1832129d6d8eaa349cc43c026258e8294c9e
                                    • Instruction Fuzzy Hash: 8811C47064014926C704B7658C97EFE76198790344F94413BF806A61D3FB6C598683EE
                                    Function 0040A6B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1382 40a6b0-40a6c0 1383 40a6c6-40a6c8 1382->1383 1384 40a75d-40a760 1382->1384 1385 40a6cb-40a6f1 call 401f04 CreateFileW 1383->1385 1388 40a731 1385->1388 1389 40a6f3-40a701 GetFileSize 1385->1389 1392 40a734-40a738 1388->1392 1390 40a703 1389->1390 1391 40a728-40a72f CloseHandle 1389->1391 1394 40a705-40a70b 1390->1394 1395 40a70d-40a714 1390->1395 1391->1392 1392->1385 1393 40a73a-40a73d 1392->1393 1393->1384 1396 40a73f-40a746 1393->1396 1394->1391 1394->1395 1397 40a716-40a718 call 40b117 1395->1397 1398 40a71d-40a722 Sleep 1395->1398 1396->1384 1399 40a748-40a758 call 409097 call 40a1b4 1396->1399 1397->1398 1398->1391 1399->1384
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                    • Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                    • CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseCreateHandleSizeSleep
                                    • String ID: XQG
                                    • API String ID: 1958988193-3606453820
                                    • Opcode ID: 28ce54e323a61a7c7e3df4bf156f69a9efcaf564c436a4257aa778de296e5956
                                    • Instruction ID: fa029248b1ac628aedb802b18ed81a98d1a4018e107c0b234daa3009ae89debe
                                    • Opcode Fuzzy Hash: 28ce54e323a61a7c7e3df4bf156f69a9efcaf564c436a4257aa778de296e5956
                                    • Instruction Fuzzy Hash: 96110130600740AADA31A734988961F7BA9DB45356F44483EF1866B6D3C67DDC64C71F
                                    Function 0040A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • CreateThread.KERNEL32(00000000,00000000,0040A2B8,?,00000000,00000000), ref: 0040A239
                                    • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040A249
                                    • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040A255
                                      • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                      • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateThread$LocalTimewsprintf
                                    • String ID: Offline Keylogger Started
                                    • API String ID: 465354869-4114347211
                                    • Opcode ID: c7934c326ef2b1dcecdff176d04098d35d6efa8e09e0995c368ff86506386951
                                    • Instruction ID: fa9a7328340dc7f48b0d085764b542104813bfc3ea66268f7111ac5d0199d402
                                    • Opcode Fuzzy Hash: c7934c326ef2b1dcecdff176d04098d35d6efa8e09e0995c368ff86506386951
                                    • Instruction Fuzzy Hash: 1111ABB12003187ED210BB368C87CBB765DDA4139CB40057FF946221C2EA795D14CAFB
                                    Function 004137AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                    • RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000,004752F0,?,?,0040F88E,004674C8,5.1.2 Pro), ref: 004137E1
                                    • RegCloseKey.KERNEL32(?,?,?,0040F88E,004674C8,5.1.2 Pro), ref: 004137EC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateValue
                                    • String ID: pth_unenc
                                    • API String ID: 1818849710-4028850238
                                    • Opcode ID: 04dffd27395d5cb7a301fd27aaace46d1b2beb75a59ed872a5e7c8f8e25a915c
                                    • Instruction ID: b09b06e14e5a963f4ed757ac8f346f2723baee7be417271cc0de3610a50c6458
                                    • Opcode Fuzzy Hash: 04dffd27395d5cb7a301fd27aaace46d1b2beb75a59ed872a5e7c8f8e25a915c
                                    • Instruction Fuzzy Hash: A4F06272500218FBDF00AFA1DC45DEA376CEF04751F108566FD1AA61A1DB359E14DB54
                                    Function 0040D0A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0040D0B3
                                    • GetLastError.KERNEL32 ref: 0040D0BE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateErrorLastMutex
                                    • String ID: Rmc-RZH5WZ
                                    • API String ID: 1925916568-854130098
                                    • Opcode ID: eabddf02165d7cb7ab60b975d5c9d75332e346c4e6257b5baf50d4a4f7034b19
                                    • Instruction ID: 57749e379dff282fb0cfe370275dd79dddcb706c5168e3a31171962593876721
                                    • Opcode Fuzzy Hash: eabddf02165d7cb7ab60b975d5c9d75332e346c4e6257b5baf50d4a4f7034b19
                                    • Instruction Fuzzy Hash: 0DD012B0605700EBDB186770ED5975839559744702F40487AB50FD99F1CBBC88908519
                                    Function 00404AA1 Relevance: 4.6, APIs: 3, Instructions: 93synchronizationnetworkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                    • WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                    • SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: EventObjectSingleWaitsend
                                    • String ID:
                                    • API String ID: 3963590051-0
                                    • Opcode ID: 75c5632b30c26a77cc6a251c6ea60dd524e5d6101476a23627ac468793f5a929
                                    • Instruction ID: ade4869c8039bafc3f5202e75afdfb18787be874a76dce876c460fae4797ad88
                                    • Opcode Fuzzy Hash: 75c5632b30c26a77cc6a251c6ea60dd524e5d6101476a23627ac468793f5a929
                                    • Instruction Fuzzy Hash: 152124B2900119BBCB04ABA1DC95DEEB77CFF14314B00452FF515B71E2EB38AA15C6A4
                                    Function 004135E1 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                    • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                    • RegCloseKey.KERNEL32(?), ref: 0041362D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID:
                                    • API String ID: 3677997916-0
                                    • Opcode ID: e5c88bf4778b1a12960ae4c3b265923e79f6a7b3b3cce25859afcc872f091df0
                                    • Instruction ID: 0661f39b514c0023b6096d8878825bbc81d19e8e8981dfb5b132c5fecbfe39b6
                                    • Opcode Fuzzy Hash: e5c88bf4778b1a12960ae4c3b265923e79f6a7b3b3cce25859afcc872f091df0
                                    • Instruction Fuzzy Hash: 4A01D676900228FBCB209B91DC08DEF7F7DDB44B51F004066BB05A2240DA748E45DBA4
                                    Function 00413733 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 0041374F
                                    • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                                    • RegCloseKey.KERNEL32(00000000), ref: 00413773
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID:
                                    • API String ID: 3677997916-0
                                    • Opcode ID: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                    • Instruction ID: cdc8bb2f12cdea1da97e3e4d454c68039a4c25ad8704162e95ac064a0ac82555
                                    • Opcode Fuzzy Hash: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                    • Instruction Fuzzy Hash: C301AD7540022DFBDF215F91DC04DEB3F38EF05761F008065BE09620A1E7358AA5EB94
                                    Function 0044F45D Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetEnvironmentStringsW.KERNEL32 ref: 0044F461
                                    • _free.LIBCMT ref: 0044F49A
                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F4A1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: EnvironmentStrings$Free_free
                                    • String ID:
                                    • API String ID: 2716640707-0
                                    • Opcode ID: 0f2961337cf6473c9b59c8633065eebaee8da3dc7e8e50693e042ad6422b7f19
                                    • Instruction ID: 0fde98e0ac238faa149cd6f420f555edc5ad685e5938876998fddc3cfa248eb7
                                    • Opcode Fuzzy Hash: 0f2961337cf6473c9b59c8633065eebaee8da3dc7e8e50693e042ad6422b7f19
                                    • Instruction Fuzzy Hash: 41E0E537545A226BB211323A6C49D6F2A58CFD27B6726003BF40486242EE288D0641BA
                                    Function 00413584 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                    • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004752F0), ref: 004135C2
                                    • RegCloseKey.KERNEL32(?), ref: 004135CD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID:
                                    • API String ID: 3677997916-0
                                    • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                    • Instruction ID: 3ea041f737baa467864e73cd7e114674dd940ed34319bd14b5ec79364d8ab256
                                    • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                    • Instruction Fuzzy Hash: 39F01D76900218FFDF109FA09C45FEE7BBDEB04B11F1044A5BA04E6191D6359F549B94
                                    Function 0041353A Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040C1D7,00466C58), ref: 00413551
                                    • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040C1D7,00466C58), ref: 00413565
                                    • RegCloseKey.KERNEL32(?,?,?,0040C1D7,00466C58), ref: 00413570
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID:
                                    • API String ID: 3677997916-0
                                    • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                    • Instruction ID: 960a54a16a1ccd4152458ec6927d20d37e2092670a33f2d7c306b576a706ad25
                                    • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                    • Instruction Fuzzy Hash: 23E06532801238FBDF204FA29C0DDEB7F6CDF06BA1B000155BD0CA1111D2258E50E6E4
                                    Function 004138B2 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                    • RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                    • RegCloseKey.KERNEL32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateValue
                                    • String ID:
                                    • API String ID: 1818849710-0
                                    • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                    • Instruction ID: 04d77b696783773a8a307df6842786532c8303179302b097fa31242bc3118ae5
                                    • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                    • Instruction Fuzzy Hash: 1EE06D72500318FBDF109FA0DC06FEA7BACEF04B62F104565BF09A6191D6358E14E7A8
                                    Function 00409E1F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _wcslen
                                    • String ID: pz
                                    • API String ID: 176396367-2656417606
                                    • Opcode ID: 2909f1be4624e20aefd95f70af1697863fb55ab0ff45cf84c0a49d4b96723009
                                    • Instruction ID: e26466b944e621eef81fbe5db30e3e3b172770e45cde188e8c087a2518f8d89f
                                    • Opcode Fuzzy Hash: 2909f1be4624e20aefd95f70af1697863fb55ab0ff45cf84c0a49d4b96723009
                                    • Instruction Fuzzy Hash: 631181319002059BCB15EF66E852AEF7BB4AF54314B10413FF446A62E2EF78AD15CB98
                                    Function 0041B847 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                    Download Yara Rule
                                    APIs
                                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041B85B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: GlobalMemoryStatus
                                    • String ID: @
                                    • API String ID: 1890195054-2766056989
                                    • Opcode ID: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                    • Instruction ID: 2d2b64c70bc766df394076410504e3f9c8f669937c614d63c6700d8895b1c70c
                                    • Opcode Fuzzy Hash: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                    • Instruction Fuzzy Hash: E6D017B58023189FC720DFA8E804A8DBBFCFB08210F00456AEC49E3700E770E8008B94
                                    Function 0041CB72 Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,00474EF8,00474EF8), ref: 0041CB9A
                                    • LocalFree.KERNEL32(?,?), ref: 0041CBC0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FormatFreeLocalMessage
                                    • String ID:
                                    • API String ID: 1427518018-0
                                    • Opcode ID: 960732d3ad2dec07bfb44dcd07a04afbb289875d27af25defef8d482e7e40be8
                                    • Instruction ID: 923000db8f6a2d31ebee0df48ef62036c6bc2ff20d3f060cbaedccf048ea6ec3
                                    • Opcode Fuzzy Hash: 960732d3ad2dec07bfb44dcd07a04afbb289875d27af25defef8d482e7e40be8
                                    • Instruction Fuzzy Hash: 34F0A930B00219A6DF14A766DC4ADFF772DDB44305B10407FB605B21D1DE785D059659
                                    Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • socket.WS2_32(?,00000001,00000006), ref: 00404852
                                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                                      • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateEventStartupsocket
                                    • String ID:
                                    • API String ID: 1953588214-0
                                    • Opcode ID: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                                    • Instruction ID: ed99eca956a2b7a9b5891d615cc725ddac26720bb1770143763ad27df005c20f
                                    • Opcode Fuzzy Hash: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                                    • Instruction Fuzzy Hash: 760171B1408B809ED7359F38A8456877FE0AB55304F048D6EF1DA97B91D3B5A881CB18
                                    Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9ebd29a8193938baf2c5ce5f6ec3a3ea5040e3c3e83895a942c6279db0e0dd98
                                    • Instruction ID: 1e9d0a06bdb6e9f7b23a96960dfc4b712b0be9606a3b942e14a6d4fe6a34620f
                                    • Opcode Fuzzy Hash: 9ebd29a8193938baf2c5ce5f6ec3a3ea5040e3c3e83895a942c6279db0e0dd98
                                    • Instruction Fuzzy Hash: EBF0E2706042016BCB0C8B34CD50B2A37954B84325F248F7FF02BD61E0C73EC8918A0D
                                    Function 0041BB27 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetForegroundWindow.USER32 ref: 0041BB49
                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041BB5C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Window$ForegroundText
                                    • String ID:
                                    • API String ID: 29597999-0
                                    • Opcode ID: 2784d0b2db336add8319ad638143428ee57387129fbd6e48793ce9af45086994
                                    • Instruction ID: 8c7c0eb369f00208a7459315ff6bb8442305c4ed6b2016914032ba092e23deac
                                    • Opcode Fuzzy Hash: 2784d0b2db336add8319ad638143428ee57387129fbd6e48793ce9af45086994
                                    • Instruction Fuzzy Hash: 21E04875A00328A7E720A7A5AC4EFD5776C9708755F0001AEBA1CD61C2EDB4AD448BE5
                                    Function 00414F24 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • getaddrinfo.WS2_32(00000000,00000000,00000000,00472ADC,004750E4,00000000,004151C3,00000000,00000001), ref: 00414F46
                                    • WSASetLastError.WS2_32(00000000), ref: 00414F4B
                                      • Part of subcall function 00414DC1: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                      • Part of subcall function 00414DC1: LoadLibraryA.KERNEL32(?), ref: 00414E52
                                      • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                      • Part of subcall function 00414DC1: FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                      • Part of subcall function 00414DC1: LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                      • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                      • Part of subcall function 00414DC1: FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                      • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                    • String ID:
                                    • API String ID: 1170566393-0
                                    • Opcode ID: 63e6a57adcb3e9d376df8b1f7a36805de8af56205c6b0d3f673684859221182d
                                    • Instruction ID: 64a5677b7ab27dcaa32d5743096e05a6e92bfc5102e3e8065abb212a99eff034
                                    • Opcode Fuzzy Hash: 63e6a57adcb3e9d376df8b1f7a36805de8af56205c6b0d3f673684859221182d
                                    • Instruction Fuzzy Hash: 23D017322005316BD320A769AC00AEBAA9EDFD6760B12003BBD08D2251DA949C8286E8
                                    Function 004461B8 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                    • Instruction ID: 139fbca062bb8bf671a891d82c3cf8fc988f9ce198a1a8b78c24da0334343556
                                    • Opcode Fuzzy Hash: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                    • Instruction Fuzzy Hash: CEE0E531A0021267F6312A269C01B5B76599B437A0F170137AD15922D2CE6CCD0181EF
                                    Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Startup
                                    • String ID:
                                    • API String ID: 724789610-0
                                    • Opcode ID: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                                    • Instruction ID: 97c3e6bab4f4407137ad71e204409d8be70fba83985c90e8682379c152a4c00d
                                    • Opcode Fuzzy Hash: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                                    • Instruction Fuzzy Hash: 92D0123255C70C8EE620ABB4AD0F8A4775CC317616F0007BA6CB5836D3E6405B1DC2AB

                                    Non-executed Functions

                                    Function 00407CD2 Relevance: 46.3, APIs: 10, Strings: 16, Instructions: 835filesleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetEvent.KERNEL32(?,?), ref: 00407CF4
                                    • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407DC2
                                    • DeleteFileW.KERNEL32(00000000), ref: 00407DE4
                                      • Part of subcall function 0041C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,h&y,004752F0,00000001), ref: 0041C37D
                                      • Part of subcall function 0041C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,h&y,004752F0,00000001), ref: 0041C3AD
                                      • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,h&y,004752F0,00000001), ref: 0041C402
                                      • Part of subcall function 0041C322: FindClose.KERNEL32(00000000,?,?,?,?,?,h&y,004752F0,00000001), ref: 0041C463
                                      • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,h&y,004752F0,00000001), ref: 0041C46A
                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                      • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                      • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                      • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004081D2
                                    • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004082B3
                                    • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084FF
                                    • DeleteFileA.KERNEL32(?), ref: 0040868D
                                      • Part of subcall function 00408847: __EH_prolog.LIBCMT ref: 0040884C
                                      • Part of subcall function 00408847: FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                      • Part of subcall function 00408847: __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                      • Part of subcall function 00408847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                    • Sleep.KERNEL32(000007D0), ref: 00408733
                                    • StrToIntA.SHLWAPI(00000000,00000000), ref: 00408775
                                      • Part of subcall function 0041CA73: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                    • String ID: (PG$(aF$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                    • API String ID: 1067849700-414524693
                                    • Opcode ID: 1159415c30e02616cd70a330390d5baa9f1d06528eaf0f7803046139ec59ee36
                                    • Instruction ID: f533dcafa702064eae222fc9ff54aa9327b172b3479e3db69e1c842a3252ef64
                                    • Opcode Fuzzy Hash: 1159415c30e02616cd70a330390d5baa9f1d06528eaf0f7803046139ec59ee36
                                    • Instruction Fuzzy Hash: F04293716043016BC604FB76C9579AE77A9AF91348F80483FF542671E2EF7C9908879B
                                    Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 004056E6
                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                    • __Init_thread_footer.LIBCMT ref: 00405723
                                    • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660CC,00000000), ref: 004057B6
                                    • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                    • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                    • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                    • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                      • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                    • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660D0,00000062,004660B4), ref: 004059E4
                                    • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 004059FE
                                    • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                    • CloseHandle.KERNEL32 ref: 00405A23
                                    • CloseHandle.KERNEL32 ref: 00405A2B
                                    • CloseHandle.KERNEL32 ref: 00405A3D
                                    • CloseHandle.KERNEL32 ref: 00405A45
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                    • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                    • API String ID: 2994406822-18413064
                                    • Opcode ID: 7e6000a8a7e4ba05ca38dfd82d922d01f1a458e024efa59c1ff409d8a81639b8
                                    • Instruction ID: feb7c3e087fbbfe745e3798ef664df189eb35a760580a6c3fca7c2e5343dee52
                                    • Opcode Fuzzy Hash: 7e6000a8a7e4ba05ca38dfd82d922d01f1a458e024efa59c1ff409d8a81639b8
                                    • Instruction Fuzzy Hash: 1A91C271604604AFD711FB36ED42A6B369AEB84308F01443FF589A62E2DB7D9C448F6D
                                    Function 00412132 Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 238threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcessId.KERNEL32 ref: 00412141
                                      • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                      • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                      • Part of subcall function 004138B2: RegCloseKey.KERNEL32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                    • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412181
                                    • CloseHandle.KERNEL32(00000000), ref: 00412190
                                    • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 004121E6
                                    • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412455
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                    • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$h&y$rmclient.exe$svchost.exe
                                    • API String ID: 3018269243-2769363149
                                    • Opcode ID: 0bc6abb93a007a62e155aad46a945be6e257eeb2644a433d62495adb5594a49a
                                    • Instruction ID: f1b014459f2de55ad39b9ce4e2eab06dd530905b6b6ad57ecd0cf2e75cce6712
                                    • Opcode Fuzzy Hash: 0bc6abb93a007a62e155aad46a945be6e257eeb2644a433d62495adb5594a49a
                                    • Instruction Fuzzy Hash: B971A23160430167C614FB72CD579AE77A4AE94308F40097FF586A21E2FFBC9A49C69E
                                    Function 0040F4AF Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 210processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,xKy), ref: 0040F4C9
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,xKy), ref: 0040F4F4
                                    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F510
                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F58F
                                    • CloseHandle.KERNEL32(00000000,?,00000000,?,?,xKy), ref: 0040F59E
                                      • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                      • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                    • CloseHandle.KERNEL32(00000000,?,xKy), ref: 0040F6A9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                    • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$h&y$ieinstal.exe$ielowutil.exe$xKy$xdF$xdF
                                    • API String ID: 3756808967-348500351
                                    • Opcode ID: c575ac8939463ca684cedb7c6906afd83d502d5e5bbe83c4c666d8f6a0325efa
                                    • Instruction ID: 73d50abc618c2a3d6a57d9d5b79267519347fdb4c989691d2635b3abfd1995a7
                                    • Opcode Fuzzy Hash: c575ac8939463ca684cedb7c6906afd83d502d5e5bbe83c4c666d8f6a0325efa
                                    • Instruction Fuzzy Hash: B5712E705083419AC724FB21D8959AEB7E4AF90348F40483FF586631E3EF79994DCB9A
                                    Function 0040BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBEA
                                    • FindClose.KERNEL32(00000000), ref: 0040BC04
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 0040BD27
                                    • FindClose.KERNEL32(00000000), ref: 0040BD4D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$CloseFile$FirstNext
                                    • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                    • API String ID: 1164774033-3681987949
                                    • Opcode ID: 6c639a8cbac5ca484f8773e9da93299d118512ec2cf8b834913427766c983489
                                    • Instruction ID: 8b0b2ff803da1d4b435a108118727fe7c74031c8ac088da8990f7d135a86af9b
                                    • Opcode Fuzzy Hash: 6c639a8cbac5ca484f8773e9da93299d118512ec2cf8b834913427766c983489
                                    • Instruction Fuzzy Hash: C7514F3190021A9ADB14FBB2DC56AEEB739AF10304F50057FF506721E2FF785A49CA99
                                    Function 004168FC Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 80clipboardmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenClipboard.USER32 ref: 004168FD
                                    • EmptyClipboard.USER32 ref: 0041690B
                                    • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041692B
                                    • GlobalLock.KERNEL32(00000000), ref: 00416934
                                    • GlobalUnlock.KERNEL32(00000000), ref: 0041696A
                                    • SetClipboardData.USER32(0000000D,00000000), ref: 00416973
                                    • CloseClipboard.USER32 ref: 00416990
                                    • OpenClipboard.USER32 ref: 00416997
                                    • GetClipboardData.USER32(0000000D), ref: 004169A7
                                    • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                    • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                    • CloseClipboard.USER32 ref: 004169BF
                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                    • String ID: !D@$xdF
                                    • API String ID: 3520204547-3540039394
                                    • Opcode ID: c8703224e175adb969da51eb5f57ffc5a40dfb1fd886196ce195493606c83552
                                    • Instruction ID: 548dc4d81477911aad8e8b192ef25fd2d65b79b2884d290c2f7190e4363fe536
                                    • Opcode Fuzzy Hash: c8703224e175adb969da51eb5f57ffc5a40dfb1fd886196ce195493606c83552
                                    • Instruction Fuzzy Hash: 23215171204301EBD714BB71DC5DAAE7AA9AF88746F00043EF946961E2EF3C8C45866A
                                    Function 0040BD72 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDEA
                                    • FindClose.KERNEL32(00000000), ref: 0040BE04
                                    • FindNextFileA.KERNEL32(00000000,?), ref: 0040BEC4
                                    • FindClose.KERNEL32(00000000), ref: 0040BEEA
                                    • FindClose.KERNEL32(00000000), ref: 0040BF0B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$Close$File$FirstNext
                                    • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                    • API String ID: 3527384056-432212279
                                    • Opcode ID: ac2c58898ed4881048f14169fe64a4f28670cbea93e3b81032ca527b9b506f8a
                                    • Instruction ID: 490896facf616f27299b965c2ba25c256be2621490ca3b25f990f1d956524bcc
                                    • Opcode Fuzzy Hash: ac2c58898ed4881048f14169fe64a4f28670cbea93e3b81032ca527b9b506f8a
                                    • Instruction Fuzzy Hash: E0417F3190021AAACB04F7B2DC5A9EE7769AF11704F50057FF506B21E2EF385A458A9D
                                    Function 0041330D Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413452
                                    • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413460
                                    • GetFileSize.KERNEL32(?,00000000), ref: 0041346D
                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 0041348D
                                    • CloseHandle.KERNEL32(00000000), ref: 0041349A
                                    • CloseHandle.KERNEL32(?), ref: 004134A0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                    • String ID:
                                    • API String ID: 297527592-0
                                    • Opcode ID: 33a11f1d8b65504666c7f3d6a65dc1c7f241de2952f14d7c983c905d35a598f5
                                    • Instruction ID: 84c8eec30da1abd4ec43dfc3561b6153623c17c5959ee0fa3a13cc5c00e14cc2
                                    • Opcode Fuzzy Hash: 33a11f1d8b65504666c7f3d6a65dc1c7f241de2952f14d7c983c905d35a598f5
                                    • Instruction Fuzzy Hash: F041F331104301BBD7119F25EC49F6B3BACEFC9769F10052EF655D21A2DB38DA40866E
                                    Function 00419662 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 0$1$2$3$4$5$6$7$VG
                                    • API String ID: 0-1861860590
                                    • Opcode ID: fa5d28c5653a06ee74d606b0804547a39682ca64517b0fde9ecd30e9690a319d
                                    • Instruction ID: 7133b754bba813e7b371628f59950815dc208a5c28e1558ec9b3f3725e93ffbd
                                    • Opcode Fuzzy Hash: fa5d28c5653a06ee74d606b0804547a39682ca64517b0fde9ecd30e9690a319d
                                    • Instruction Fuzzy Hash: 9171E2709183019FD704EF21D862BAB7B94DF85710F00492FF5A26B2D1DE78AB49CB96
                                    Function 0041C322 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 106fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,h&y,004752F0,00000001), ref: 0041C37D
                                    • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,h&y,004752F0,00000001), ref: 0041C3AD
                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,h&y,004752F0,00000001), ref: 0041C41F
                                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,h&y,004752F0,00000001), ref: 0041C42C
                                      • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,h&y,004752F0,00000001), ref: 0041C402
                                    • GetLastError.KERNEL32(?,?,?,?,?,h&y,004752F0,00000001), ref: 0041C44D
                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,h&y,004752F0,00000001), ref: 0041C463
                                    • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,h&y,004752F0,00000001), ref: 0041C46A
                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,h&y,004752F0,00000001), ref: 0041C473
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                    • String ID: h&y
                                    • API String ID: 2341273852-1401030966
                                    • Opcode ID: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                    • Instruction ID: 53b23dfad01ba0d5beec27b7c27070a1caf437d6ccbc5233b8522822963bc02e
                                    • Opcode Fuzzy Hash: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                    • Instruction Fuzzy Hash: 4A31807284431CAADB24E761DC89EEB736CAF09305F0405FBF559D2051EB3DDAC98A58
                                    Function 004167EF Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 97libraryloadershutdownCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                      • Part of subcall function 0041798D: OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                      • Part of subcall function 0041798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                      • Part of subcall function 0041798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                      • Part of subcall function 0041798D: GetLastError.KERNEL32 ref: 004179D8
                                    • ExitWindowsEx.USER32(00000000,00000001), ref: 00416891
                                    • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 004168A6
                                    • GetProcAddress.KERNEL32(00000000), ref: 004168AD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                    • String ID: !D@$$aF$(aF$,aF$PowrProf.dll$SetSuspendState
                                    • API String ID: 1589313981-3345310279
                                    • Opcode ID: 5a67a4a310bbeab77cb956b6f29dad078fe7ead2311179410cf603bdc65d0c30
                                    • Instruction ID: 272f3f60014ab8f8f2fa2781f50e1ac7d9ab3f628c5d0f86ef79d7992e461550
                                    • Opcode Fuzzy Hash: 5a67a4a310bbeab77cb956b6f29dad078fe7ead2311179410cf603bdc65d0c30
                                    • Instruction Fuzzy Hash: D821B17060430166CA14FBB28856ABF36599F41388F41087FB501671D2EF3DD845C76E
                                    Function 00407538 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                    Download Yara Rule
                                    APIs
                                    • _wcslen.LIBCMT ref: 0040755C
                                    • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Object_wcslen
                                    • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                    • API String ID: 240030777-3166923314
                                    • Opcode ID: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                    • Instruction ID: 28daeeabb8f9d0779e909056d36d27ae9c6096be3406941992b1a3e854751cf1
                                    • Opcode Fuzzy Hash: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                    • Instruction Fuzzy Hash: 88113771D04214B6D710EA959845BDEB77C9B08714F15006FF904B2281EB7CAE448A6F
                                    Function 0041A7D9 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A7EF
                                    • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A83E
                                    • GetLastError.KERNEL32 ref: 0041A84C
                                    • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A884
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                    • String ID:
                                    • API String ID: 3587775597-0
                                    • Opcode ID: a1aa029647e6b911d73bb73d0b4c014ff2ed4e84f9fda5b1c3cafc713725b12c
                                    • Instruction ID: 52116c85fb856a5ac6c14b0259405ec20ae2fa8d9cc538ef9907a440d1633313
                                    • Opcode Fuzzy Hash: a1aa029647e6b911d73bb73d0b4c014ff2ed4e84f9fda5b1c3cafc713725b12c
                                    • Instruction Fuzzy Hash: 17817071104301ABC304EF61D885DAFB7A8FF94749F50082EF185521A2EF78EE49CB9A
                                    Function 00419B86 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 245fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(00000000,?), ref: 00419DDC
                                    • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419EA8
                                      • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Find$CreateFirstNext
                                    • String ID: 8eF$PXG$PXG$xKy$NG$PG
                                    • API String ID: 341183262-1307576408
                                    • Opcode ID: 1e47ad82dbaad50a5648139d2d87fe26f16cca8161f40b55c4af2a356154e790
                                    • Instruction ID: 0eaaaed992bec346a468a6d62c1d6888972f0568f5be94e2eef244f320132bd5
                                    • Opcode Fuzzy Hash: 1e47ad82dbaad50a5648139d2d87fe26f16cca8161f40b55c4af2a356154e790
                                    • Instruction Fuzzy Hash: 998151315083415BC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                    Function 0040C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C3D6
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0040C4A9
                                    • FindClose.KERNEL32(00000000), ref: 0040C4B8
                                    • FindClose.KERNEL32(00000000), ref: 0040C4E3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$CloseFile$FirstNext
                                    • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                    • API String ID: 1164774033-405221262
                                    • Opcode ID: 07425786a733f007aeb9a950477bd56cbd674cdc9204bf77bad9fc47ca870fce
                                    • Instruction ID: 33618048715e6b2d4a7b39963b1e19558724686ef99070a322097c87c0ca4c0c
                                    • Opcode Fuzzy Hash: 07425786a733f007aeb9a950477bd56cbd674cdc9204bf77bad9fc47ca870fce
                                    • Instruction Fuzzy Hash: 59313E31500219AACB14E761DC9A9EE7778AF50719F10057FF106B21E2EF7C9946CA4D
                                    Function 0040A41B Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetForegroundWindow.USER32(?,?,004750F0), ref: 0040A451
                                    • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                    • GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                    • GetKeyState.USER32(00000010), ref: 0040A46E
                                    • GetKeyboardState.USER32(?,?,004750F0), ref: 0040A479
                                    • ToUnicodeEx.USER32(00475144,00000000,?,?,00000010,00000000,00000000), ref: 0040A49C
                                    • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                    • ToUnicodeEx.USER32(00475144,?,?,?,00000010,00000000,00000000), ref: 0040A535
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                    • String ID:
                                    • API String ID: 1888522110-0
                                    • Opcode ID: 1fbef96bbf5188aadc2f193688702ae07512c2e2bc484e71aa5862d9cec23228
                                    • Instruction ID: fd17a64e9e4f7f825196359ceba3421c6f582a70c0a4c9d277f8a97da3dc7bda
                                    • Opcode Fuzzy Hash: 1fbef96bbf5188aadc2f193688702ae07512c2e2bc484e71aa5862d9cec23228
                                    • Instruction Fuzzy Hash: 1E316D72504308BFD700DF90DC45F9B7BECBB88744F00083AB645D61A0D7B5E9498BA6
                                    Function 00414005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140D8
                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140E4
                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                    • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004142A5
                                    • GetProcAddress.KERNEL32(00000000), ref: 004142AC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressCloseCreateLibraryLoadProcsend
                                    • String ID: SHDeleteKeyW$Shlwapi.dll
                                    • API String ID: 2127411465-314212984
                                    • Opcode ID: b4d28f408d03663114adfba6fc1aa10d5948f27d4ecb0b07a7edb0b57dd3ce46
                                    • Instruction ID: 51cedef5a77654bf04fe1bae55708f30d4330cefe0c145b830acf249c6506b6e
                                    • Opcode Fuzzy Hash: b4d28f408d03663114adfba6fc1aa10d5948f27d4ecb0b07a7edb0b57dd3ce46
                                    • Instruction Fuzzy Hash: 16B1F671A0430066CA14FB76DC579AF36A85F91788F40053FB906771E2EE7D8A48C6DA
                                    Function 00406EEB Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 222filenetworkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FF7
                                    • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070DB
                                    Strings
                                    • open, xrefs: 00406FF1
                                    • 0aF, xrefs: 0040712C
                                    • 0aF, xrefs: 0040701B
                                    • C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe, xrefs: 00407042, 0040716A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DownloadExecuteFileShell
                                    • String ID: 0aF$0aF$C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe$open
                                    • API String ID: 2825088817-248516544
                                    • Opcode ID: 4b9f143b38e007746ed10a05fd133da9123ebbab4025aa3b903c6d73853a46e9
                                    • Instruction ID: 89f65c5a2840bfed21b3c91f130df949caec66636536da5e2ea9f2eef63816fc
                                    • Opcode Fuzzy Hash: 4b9f143b38e007746ed10a05fd133da9123ebbab4025aa3b903c6d73853a46e9
                                    • Instruction Fuzzy Hash: 5261B371A0830166CA14FB76C8569BE37A59F81758F40093FB9427B2D3EE3C9905C69B
                                    Function 00408847 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 0040884C
                                    • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                    • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A50
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                    • String ID: xdF
                                    • API String ID: 1771804793-999140092
                                    • Opcode ID: f4b51b2c778cc903a76b83995408fe472956efc0dc2707ff349452219b6188ab
                                    • Instruction ID: 0d5560aa06bbfb8d15084ed76e809f646cede1ce68103026aeaac9ba950e1e68
                                    • Opcode Fuzzy Hash: f4b51b2c778cc903a76b83995408fe472956efc0dc2707ff349452219b6188ab
                                    • Instruction Fuzzy Hash: 9D517F72900209AACB04FB65DD569ED7778AF10308F50417FB906B71E2EF389B49CB89
                                    Function 0040BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA89
                                    • GetLastError.KERNEL32 ref: 0040BA93
                                    Strings
                                    • [Chrome StoredLogins found, cleared!], xrefs: 0040BAB9
                                    • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA54
                                    • UserProfile, xrefs: 0040BA59
                                    • [Chrome StoredLogins not found], xrefs: 0040BAAD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DeleteErrorFileLast
                                    • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                    • API String ID: 2018770650-1062637481
                                    • Opcode ID: 8d1b9c386d9f6ca777f4705084fddfe26be0f649cbc95c9792bf321ed182c299
                                    • Instruction ID: 0532e36a1aab116e50a9f1d1704ee325f44086adb43c50cfffb7bf5285f9a594
                                    • Opcode Fuzzy Hash: 8d1b9c386d9f6ca777f4705084fddfe26be0f649cbc95c9792bf321ed182c299
                                    • Instruction Fuzzy Hash: 76018F61A402056ACB04B7B6DC5B9BE7724A921704B50057FF806722D2FE7D49098BDE
                                    Function 0041798D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                    • OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                    • GetLastError.KERNEL32 ref: 004179D8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                    • String ID: SeShutdownPrivilege
                                    • API String ID: 3534403312-3733053543
                                    • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                    • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                                    • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                    • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                                    Function 004541D9 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __floor_pentium4
                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                    • API String ID: 4168288129-2761157908
                                    • Opcode ID: e29b251e1eee29052bf5b6da388e4b2e308b35626dbf2dd5d7aa75add96dd8b0
                                    • Instruction ID: 22fd31c6184e07a9d3e8c26eafc68e38345e899adb4ac4f90a3aea4af7cb717d
                                    • Opcode Fuzzy Hash: e29b251e1eee29052bf5b6da388e4b2e308b35626dbf2dd5d7aa75add96dd8b0
                                    • Instruction Fuzzy Hash: BBC27E71D046288FDB25CE28DD407EAB3B5EB8530AF1541EBD80DE7241E778AE898F45
                                    Function 0040928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 00409293
                                      • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040932F
                                    • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040938D
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 004093E5
                                    • FindClose.KERNEL32(00000000), ref: 004093FC
                                      • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                      • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                      • Part of subcall function 00404E26: CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                    • FindClose.KERNEL32(00000000), ref: 004095F4
                                      • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                      • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                    • String ID:
                                    • API String ID: 1824512719-0
                                    • Opcode ID: cfc75f04b1d898ee0c130a582012c3177bc7e698a05cd4a1bda34677b9042951
                                    • Instruction ID: 89df7f8b75d3b77417eb58d09b4f39b7dfb13bde992cfd9524fc7595df83f5be
                                    • Opcode Fuzzy Hash: cfc75f04b1d898ee0c130a582012c3177bc7e698a05cd4a1bda34677b9042951
                                    • Instruction Fuzzy Hash: 34B19D32900109AACB14EBA1DD92AEDB379AF44314F50417FF506B60E2EF785F49CB59
                                    Function 0041AADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A731,00000000), ref: 0041AAE4
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A731,00000000), ref: 0041AAF9
                                    • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB06
                                    • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A731,00000000), ref: 0041AB11
                                    • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB23
                                    • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB26
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ManagerStart
                                    • String ID:
                                    • API String ID: 276877138-0
                                    • Opcode ID: d2aae47141dcf0d9b89d10f0773cee60e0a3b0657566105474702d9dbd979937
                                    • Instruction ID: 14dbf03deabb1432b93a26d2ddf90514dbbc411f15d31c7908333a88c2a5d316
                                    • Opcode Fuzzy Hash: d2aae47141dcf0d9b89d10f0773cee60e0a3b0657566105474702d9dbd979937
                                    • Instruction Fuzzy Hash: FEF0E971141225AFD2115B209C88DFF276CDF85B66B00082AF901921919B68CC45E579
                                    Function 004524BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 00452555
                                    • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 0045257E
                                    • GetACP.KERNEL32 ref: 00452593
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: InfoLocale
                                    • String ID: ACP$OCP
                                    • API String ID: 2299586839-711371036
                                    • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                    • Instruction ID: 097c3b5166b2d36aca1cb621bb06e922528e2ea4561953c90108b9915aa2a338
                                    • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                    • Instruction Fuzzy Hash: 7E21F932600108B6D734CF14CA10A9B73A6EB16B53B564467ED09D7312F7B6DD44C398
                                    Function 00407877 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407892
                                    • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040795A
                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileFind$FirstNextsend
                                    • String ID: 8eF$XPG$XPG
                                    • API String ID: 4113138495-4157548504
                                    • Opcode ID: aeda0b89492932c12f20bb2ebc40727bda67ea030b274ae713a59b382de888b7
                                    • Instruction ID: fedc3c23448d2be437c2d68ef58725aa3c97e5c0e74d328490a6b39f64eed896
                                    • Opcode Fuzzy Hash: aeda0b89492932c12f20bb2ebc40727bda67ea030b274ae713a59b382de888b7
                                    • Instruction Fuzzy Hash: 2D21A4315083015BC714FB61D895CEFB3ACAF90358F40493EF696620E1FF78AA098A5B
                                    Function 0041CA73 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 83COMMON
                                    Download Yara Rule
                                    APIs
                                    • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                      • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                      • Part of subcall function 004137AA: RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000,004752F0,?,?,0040F88E,004674C8,5.1.2 Pro), ref: 004137E1
                                      • Part of subcall function 004137AA: RegCloseKey.KERNEL32(?,?,?,0040F88E,004674C8,5.1.2 Pro), ref: 004137EC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateInfoParametersSystemValue
                                    • String ID: ,aF$Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                    • API String ID: 4127273184-3126330168
                                    • Opcode ID: 1b8314d2076e9d5c703d8fca3d96c61d813be21baf7682ae790ff92cd480d8bc
                                    • Instruction ID: 8ac436d711b2fc3476497f69dc57c3b9a547a247a31514f467319d0910454585
                                    • Opcode Fuzzy Hash: 1b8314d2076e9d5c703d8fca3d96c61d813be21baf7682ae790ff92cd480d8bc
                                    • Instruction Fuzzy Hash: D7118472BC425022E81831396D9BFBE28068343F61F54456BF6022A6CAE4CF6A9143CF
                                    Function 0041B539 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                    Download Yara Rule
                                    APIs
                                    • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B54A
                                    • LoadResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B55E
                                    • LockResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B565
                                    • SizeofResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B574
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Resource$FindLoadLockSizeof
                                    • String ID: SETTINGS
                                    • API String ID: 3473537107-594951305
                                    • Opcode ID: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                    • Instruction ID: d04f7a3eece584ab18b37ce022e38df3785cd6d6757b7dd0dc659012c7d5cbc3
                                    • Opcode Fuzzy Hash: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                    • Instruction Fuzzy Hash: 8EE01A76600B22EBEB211BB1AC4CD863E29F7C97637140075F90586231CB798840DA98
                                    Function 004096A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 004096A5
                                    • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040971D
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00409746
                                    • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040975D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstH_prologNext
                                    • String ID:
                                    • API String ID: 1157919129-0
                                    • Opcode ID: f92f0177f9ad375755d132dfbdc95623a352f14b94457c2472d6f14809876fc2
                                    • Instruction ID: 8e52766585a78a9bd0f7e398a9017c7fe376444e683812dd136b20495b515571
                                    • Opcode Fuzzy Hash: f92f0177f9ad375755d132dfbdc95623a352f14b94457c2472d6f14809876fc2
                                    • Instruction Fuzzy Hash: 7F814C328001099BCB15EBA2DC969EDB378AF14318F10417FE506B71E2EF789E49CB58
                                    Function 00452690 Relevance: 7.7, APIs: 5, Instructions: 188COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                      • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                      • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                      • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                      • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                      • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                    • GetUserDefaultLCID.KERNEL32 ref: 0045279C
                                    • IsValidCodePage.KERNEL32(00000000), ref: 004527F7
                                    • IsValidLocale.KERNEL32(?,00000001), ref: 00452806
                                    • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045284E
                                    • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 0045286D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                    • String ID:
                                    • API String ID: 745075371-0
                                    • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                    • Instruction ID: 3c84011e7dbdf7a6f9673bc5a23f9f2f22d5020eb6794df094384b3d0215d6fb
                                    • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                    • Instruction Fuzzy Hash: 9B518571900205ABDB10DFA5CD45ABF77B8EF0A702F04046BED14E7292E7B89948CB69
                                    Function 0041CA6D Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                    Download Yara Rule
                                    APIs
                                    • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                      • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                      • Part of subcall function 004137AA: RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000,004752F0,?,?,0040F88E,004674C8,5.1.2 Pro), ref: 004137E1
                                      • Part of subcall function 004137AA: RegCloseKey.KERNEL32(?,?,?,0040F88E,004674C8,5.1.2 Pro), ref: 004137EC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateInfoParametersSystemValue
                                    • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                    • API String ID: 4127273184-3576401099
                                    • Opcode ID: c75f0c149e5ba73f7fcce6e5d535fa58e0d6b88a56a7ba07c2d3bac10c61bf9e
                                    • Instruction ID: 1d4fccf664b116fd7e9026c1daa93839c24cbfeedf45b0e65449f5778d70c30d
                                    • Opcode Fuzzy Hash: c75f0c149e5ba73f7fcce6e5d535fa58e0d6b88a56a7ba07c2d3bac10c61bf9e
                                    • Instruction Fuzzy Hash: DBF0C272BC421022D82931B96DAFBFE18058742F61F15412BF302652CAD4CE6A81428F
                                    Function 00451D58 Relevance: 6.2, APIs: 4, Instructions: 236COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                      • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                      • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                      • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                    • IsValidCodePage.KERNEL32(00000000), ref: 00451E3A
                                    • _wcschr.LIBVCRUNTIME ref: 00451ECA
                                    • _wcschr.LIBVCRUNTIME ref: 00451ED8
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00451F7B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                    • String ID:
                                    • API String ID: 4212172061-0
                                    • Opcode ID: 715b93ef3f017ee4fea0110e94a068843382a27aff4af5d2daf4b4fdd25eb79d
                                    • Instruction ID: 2c98265d6c7a89d72caae9d33925a6d6107158c78f730362dcab12f0c71d6669
                                    • Opcode Fuzzy Hash: 715b93ef3f017ee4fea0110e94a068843382a27aff4af5d2daf4b4fdd25eb79d
                                    • Instruction Fuzzy Hash: 7F611976600606AAD714AB75CC42FBB73A8EF04306F14056FFD05DB292EB78E948C769
                                    Function 0044942D Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 0044943D
                                      • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                      • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                    • GetTimeZoneInformation.KERNEL32 ref: 0044944F
                                    • WideCharToMultiByte.KERNEL32(00000000,?,00472764,000000FF,?,0000003F,?,?), ref: 004494C7
                                    • WideCharToMultiByte.KERNEL32(00000000,?,004727B8,000000FF,?,0000003F,?,?,?,00472764,000000FF,?,0000003F,?,?), ref: 004494F4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                                    • String ID:
                                    • API String ID: 806657224-0
                                    • Opcode ID: aeb37be2ef55a5d103ab6b4be93faccb032caed00e04dd613037f001c8cf3bb4
                                    • Instruction ID: d52e19fe16dfdee109f40d049db845c42e01460133d57766726f1505d2785bee
                                    • Opcode Fuzzy Hash: aeb37be2ef55a5d103ab6b4be93faccb032caed00e04dd613037f001c8cf3bb4
                                    • Instruction Fuzzy Hash: 2D31F371904205EFDB15DF69CE8186EBBB8FF0572072446AFE024A73A1D3748D41EB28
                                    Function 00452143 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                      • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                      • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                      • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                      • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                      • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452197
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004521E8
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorInfoLastLocale$_free$_abort
                                    • String ID:
                                    • API String ID: 2829624132-0
                                    • Opcode ID: 711793eb573856c12bfad09b44d2354213151b00c391b4c97ce46ce3e25352d9
                                    • Instruction ID: 283aa9570716a6929da4b93cb0bca45b8c77d553a5ebfd19e37a994bad1de6ac
                                    • Opcode Fuzzy Hash: 711793eb573856c12bfad09b44d2354213151b00c391b4c97ce46ce3e25352d9
                                    • Instruction Fuzzy Hash: F361A235500207ABDF289F24CE82B7A77A8EF05306F1441BBED05C6656E7BC9D89CB58
                                    Function 0043BB71 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • IsDebuggerPresent.KERNEL32 ref: 0043BC69
                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC73
                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC80
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                    • String ID:
                                    • API String ID: 3906539128-0
                                    • Opcode ID: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                    • Instruction ID: 25e88f5a56b9fbea854716c485460a06fbe33a825339a9765be54c88dd7cea35
                                    • Opcode Fuzzy Hash: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                    • Instruction Fuzzy Hash: 0431D374901218ABCB21DF65D9887CDBBB8EF0C311F5051EAE81CA7251EB749F818F48
                                    Function 004338C8 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00433550,00000034,?,?,00000000), ref: 004338DA
                                    • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000), ref: 004338F0
                                    • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000,0041E2E2), ref: 00433902
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Crypt$Context$AcquireRandomRelease
                                    • String ID:
                                    • API String ID: 1815803762-0
                                    • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                    • Instruction ID: d68cd6f5f98cbfa2ab0450769c499d20ea76a36e668e3df749659bd42d9a4b78
                                    • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                    • Instruction Fuzzy Hash: 40E09A31208310FBEB301F21AC08F573AA5EF89B66F200A3AF256E40E4D6A68801965C
                                    Function 00443355 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(?,?,0044332B,?), ref: 00443376
                                    • TerminateProcess.KERNEL32(00000000,?,0044332B,?), ref: 0044337D
                                    • ExitProcess.KERNEL32 ref: 0044338F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CurrentExitTerminate
                                    • String ID:
                                    • API String ID: 1703294689-0
                                    • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                    • Instruction ID: 4b22f3a5ffe79ca7dfb81d814e561f82a31e4bef9a776fe0bb9daccb8e878f4b
                                    • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                    • Instruction Fuzzy Hash: 9FE0B635401608FBDF11AF55DE09A5D3BAAEB40B56F005469FC498A272CF79EE42CB88
                                    Function 0040B749 Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenClipboard.USER32(00000000), ref: 0040B74C
                                    • GetClipboardData.USER32(0000000D), ref: 0040B758
                                    • CloseClipboard.USER32 ref: 0040B760
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Clipboard$CloseDataOpen
                                    • String ID:
                                    • API String ID: 2058664381-0
                                    • Opcode ID: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                    • Instruction ID: 1c65eecdd0087a0ffd0b0a04a5b63b9ff0c479b34dfa65f2e767e94bdce73387
                                    • Opcode Fuzzy Hash: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                    • Instruction Fuzzy Hash: 45E0EC31745320EFC3206B609C49F9B6AA4DF85B52F05443AB905BB2E5DB78CC4086AD
                                    Function 0041BBC6 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041605F,00000000), ref: 0041BBD1
                                    • NtResumeProcess.NTDLL(00000000), ref: 0041BBDE
                                    • CloseHandle.KERNEL32(00000000,?,?,0041605F,00000000), ref: 0041BBE7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CloseHandleOpenResume
                                    • String ID:
                                    • API String ID: 3614150671-0
                                    • Opcode ID: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                                    • Instruction ID: 00af7d86c2812e48088786baf9e1e683bef33431c8858657b58e82835f0f92e7
                                    • Opcode Fuzzy Hash: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                                    • Instruction Fuzzy Hash: 7AD05E36204121E3C220176A7C0CD97AD68DBC5AA2705412AF804C22609A60CC0186E4
                                    Function 0041BB9A Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041603A,00000000), ref: 0041BBA5
                                    • NtSuspendProcess.NTDLL(00000000), ref: 0041BBB2
                                    • CloseHandle.KERNEL32(00000000,?,?,0041603A,00000000), ref: 0041BBBB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CloseHandleOpenSuspend
                                    • String ID:
                                    • API String ID: 1999457699-0
                                    • Opcode ID: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                    • Instruction ID: 611eda4fe747f1c58df557fb912083c2b4b70512fbfbfb6239720577e9304ccf
                                    • Opcode Fuzzy Hash: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                    • Instruction Fuzzy Hash: 98D05E36204121E3C7211B6A7C0CD97AD68DFC5AA2705412AF804D26549A20CC0186E4
                                    Function 0044896D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004489C0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: InfoLocale
                                    • String ID: GetLocaleInfoEx
                                    • API String ID: 2299586839-2904428671
                                    • Opcode ID: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                    • Instruction ID: 58f0578312c774904006f9ed4749830948a62bec6dc8fde4d932476f73229d15
                                    • Opcode Fuzzy Hash: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                    • Instruction Fuzzy Hash: C0F0F631640608FBDB016F61DC06F6E7B25EB04751F00056EFC0966251DE368D2096DE
                                    Function 00446270 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                    • Instruction ID: f88ef0336175cd1615890b4a552d96ffb4623b3c947145a2eaf1ae153763923c
                                    • Opcode Fuzzy Hash: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                    • Instruction Fuzzy Hash: AA025D71E002199BEF14CFA9D8806AEFBF1FF49314F26816AD819E7384D734AD418B85
                                    Function 004120B2 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                                    • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 00412129
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$FreeProcess
                                    • String ID:
                                    • API String ID: 3859560861-0
                                    • Opcode ID: 5801a203d1619bed6c8a9db4d4e6f7c09651a2c1722533c7d7743465b50f68e9
                                    • Instruction ID: dd486cb6b879bf1be37f4e59d5b3b18419fca2aff5c7e471244091183f2ba527
                                    • Opcode Fuzzy Hash: 5801a203d1619bed6c8a9db4d4e6f7c09651a2c1722533c7d7743465b50f68e9
                                    • Instruction Fuzzy Hash: 0D113632000B11AFC7309F54DE85957BBEAFF08715305892EF29682922CB75FCA0CB48
                                    Function 004533AB Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004533A6,?,?,00000008,?,?,0045625D,00000000), ref: 004535D8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExceptionRaise
                                    • String ID:
                                    • API String ID: 3997070919-0
                                    • Opcode ID: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                    • Instruction ID: 7263c04077df6a1dd25da4ac29b5b982fa38ace811980f45f75c7c5cedc24273
                                    • Opcode Fuzzy Hash: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                    • Instruction Fuzzy Hash: 0FB13B315106089FD715CF28C48AB657BE0FF053A6F25865DE899CF3A2C339EA96CB44
                                    Function 004339D7 Relevance: 1.8, Strings: 1, Instructions: 501COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 0
                                    • API String ID: 0-4108050209
                                    • Opcode ID: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                    • Instruction ID: b5ae8e6f7fa87a7dee9e60626e0a37a25df5f2dd99b83f8da903d7583ecded6c
                                    • Opcode Fuzzy Hash: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                    • Instruction Fuzzy Hash: 0C129E727083048BD304DF65D882A1EB7E2BFCC758F15892EF495AB381DA74E915CB86
                                    Function 00434CB6 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434CCF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FeaturePresentProcessor
                                    • String ID:
                                    • API String ID: 2325560087-0
                                    • Opcode ID: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                    • Instruction ID: 5e37b39ef68b784d6588b9ddffa6793edf4c3ade0924e8be62ba08be237937aa
                                    • Opcode Fuzzy Hash: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                    • Instruction Fuzzy Hash: E4515B71D002488FEB24CF69D98579EBBF4FB88314F24956BD419EB264D378A940CF98
                                    Function 00452393 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                      • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                      • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                      • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                      • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                      • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004523E7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$_free$InfoLocale_abort
                                    • String ID:
                                    • API String ID: 1663032902-0
                                    • Opcode ID: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                    • Instruction ID: 2d4dd0c1c30cd12b50dfb53a4a1f7f5f9091958bb121381f53cce851c87d7921
                                    • Opcode Fuzzy Hash: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                    • Instruction Fuzzy Hash: F921D632600606ABDB249F25DD41FBB73A8EB06316F10407FED01D6152EBBC9D48CB59
                                    Function 0045201B Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                      • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                      • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                      • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                    • EnumSystemLocalesW.KERNEL32(00452143,00000001), ref: 0045208D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                    • String ID:
                                    • API String ID: 1084509184-0
                                    • Opcode ID: cd62537e8c3e003b13522b9155b4eea68fe7d0001d8d421cd242523031e004a2
                                    • Instruction ID: b0e9e6415e7ea3a3ed95e939ef0edb9d062384d4a1a0bde9f31cc9ceae225fa6
                                    • Opcode Fuzzy Hash: cd62537e8c3e003b13522b9155b4eea68fe7d0001d8d421cd242523031e004a2
                                    • Instruction Fuzzy Hash: 0211553A2007019FDB189F39C9916BBBB92FF8075AB14482EEE4687B41D7B5A946C740
                                    Function 004525C3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                      • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                      • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                      • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452361,00000000,00000000,?), ref: 004525EF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$InfoLocale_abort_free
                                    • String ID:
                                    • API String ID: 2692324296-0
                                    • Opcode ID: ed905f4e10f5b376defebc36d7d97aa2bb2c1abe5f1ea1ee61b46868c197e3f5
                                    • Instruction ID: 8c29d710edde3bbc403447a64c1727e90569dbd09ff88c71ffccea9529c81983
                                    • Opcode Fuzzy Hash: ed905f4e10f5b376defebc36d7d97aa2bb2c1abe5f1ea1ee61b46868c197e3f5
                                    • Instruction Fuzzy Hash: C4F04936A00116BBDB245A24D905BBF7B58EB01315F04446BEC05A3241FAF8FD058694
                                    Function 004520B6 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                      • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                      • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                      • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                    • EnumSystemLocalesW.KERNEL32(00452393,00000001), ref: 00452102
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                    • String ID:
                                    • API String ID: 1084509184-0
                                    • Opcode ID: b47e8d7704c3cea33439bb1b9c4b2a0344765dc89a2caae7295f0002ba586764
                                    • Instruction ID: 883a99871793c155097d9da94a803295819168bd30f8f35cc04eca091e96b9f4
                                    • Opcode Fuzzy Hash: b47e8d7704c3cea33439bb1b9c4b2a0344765dc89a2caae7295f0002ba586764
                                    • Instruction Fuzzy Hash: E8F0FF363007056FDB245F399881A6B7B96FB82769B04482EFE458B682DAB99C42D604
                                    Function 00448484 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(-0006D41D,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                    • EnumSystemLocalesW.KERNEL32(Function_0004843E,00000001,0046EAE0,0000000C), ref: 004484BC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CriticalEnterEnumLocalesSectionSystem
                                    • String ID:
                                    • API String ID: 1272433827-0
                                    • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                    • Instruction ID: 901ea181f65c0ebd25502bb0be635eecd519ab6688482fb1bf3a60b9f01fb263
                                    • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                    • Instruction Fuzzy Hash: 37F04F76A50200EFEB00EF69D946B4D37E0FB04725F10446EF514DB2A2DB7899809B49
                                    Function 00451FD0 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                      • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                      • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                      • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                    • EnumSystemLocalesW.KERNEL32(00451F27,00000001), ref: 00452007
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                    • String ID:
                                    • API String ID: 1084509184-0
                                    • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                    • Instruction ID: 16a122e2f6617649f53ffd93528404cf76eb0d70ff9257d35f530b0535ef024d
                                    • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                    • Instruction Fuzzy Hash: 84F0203630020597CB04AF75D845B6A7F90EB82729B06009AFE058B6A2C7799842C754
                                    Function 00434BD8 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetUnhandledExceptionFilter.KERNEL32(Function_00034BE4,0043490B), ref: 00434BDD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled
                                    • String ID:
                                    • API String ID: 3192549508-0
                                    • Opcode ID: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                    • Instruction ID: 702e07acd891e046c8aea5fc6397425f5e3bd38ef0af78e1c7fed93ac6412050
                                    • Opcode Fuzzy Hash: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                    • Instruction Fuzzy Hash:
                                    Function 00427AD7 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: @
                                    • API String ID: 0-2766056989
                                    • Opcode ID: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                    • Instruction ID: bbd91956ea41f9089fdf4ea26de33e0e8d132f349ea16d9e77f48d305cf446da
                                    • Opcode Fuzzy Hash: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                    • Instruction Fuzzy Hash: F1412975A183558FC340CF29D58020AFBE1FFC8318F645A1EF889A3350D379E9428B86
                                    Function 0044DA49 Relevance: .6, Instructions: 637COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c092c4f6b84b18e3b6cbbf7fe4413e1147b07dd6558fe569cc2693f6d3c9d2d8
                                    • Instruction ID: 4200599dcb49c21c1ca78238ad82984ca11e49a574bdd01b256a4bdf4e559873
                                    • Opcode Fuzzy Hash: c092c4f6b84b18e3b6cbbf7fe4413e1147b07dd6558fe569cc2693f6d3c9d2d8
                                    • Instruction Fuzzy Hash: D2322521D69F414DE7239A35CC22336A24CBFB73C5F15D737E81AB5AAAEB29C4834105
                                    Function 0041F18B Relevance: .6, Instructions: 598COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 11fe0a22ef666ee2c1bed35089f8503541a39c5702d52e9a7652229b453a748b
                                    • Instruction ID: 06c66d0f35fb266b7f69fbfce4f1f639eb17408d85dd7e5468211ecdc8378744
                                    • Opcode Fuzzy Hash: 11fe0a22ef666ee2c1bed35089f8503541a39c5702d52e9a7652229b453a748b
                                    • Instruction Fuzzy Hash: 7932C2716087459BC715DF28C4807ABB7E5BF84318F040A3EF89587392D779D98ACB8A
                                    Function 0042742E Relevance: .4, Instructions: 435COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 069969c8f4566116342464d842351c7afe0a72e1e3c3dbe851ab1ff53bf1dd64
                                    • Instruction ID: b033fe34555866f616fd3cc64b543b740d9cc82fbf2d17309ab2a27531c6336b
                                    • Opcode Fuzzy Hash: 069969c8f4566116342464d842351c7afe0a72e1e3c3dbe851ab1ff53bf1dd64
                                    • Instruction Fuzzy Hash: 6C02CEB17046528BC358CF2EEC5053AB7E1AB8D311744863EE495C7781EB35FA22CB94
                                    Function 00426E9F Relevance: .4, Instructions: 383COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 82c6eebf497a8783bea5e127f8a47c76021f3e74a05456d4a9fdc662aa60ff2a
                                    • Instruction ID: 06b531cc06dcd57701b547059d2c567c45bbe225ee7d26ac7aed84b394be02a5
                                    • Opcode Fuzzy Hash: 82c6eebf497a8783bea5e127f8a47c76021f3e74a05456d4a9fdc662aa60ff2a
                                    • Instruction Fuzzy Hash: 2DF19D716142558FC348CF1DE8A187BB3E1FB89311B450A2EF582C3391DB79EA16CB56
                                    Function 00437DB3 Relevance: .3, Instructions: 345COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                    • Instruction ID: 2ce137016e68017aebaac4bbf916a57dff7c64f07ba89619fc9d118b501662d8
                                    • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                    • Instruction Fuzzy Hash: F9C1D5B22091930AEF3D4639853063FFAA05E957B171A635FE4F2CB2D4FE18C924D514
                                    Function 004381E8 Relevance: .3, Instructions: 341COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                    • Instruction ID: bc2d6065b6eca92eb436045fb502f22698d18e4b36ed1375ff5d5b4a3f5914d0
                                    • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                    • Instruction Fuzzy Hash: 75C1D7722091930AEF2D4739853463FFAA15EA57B171A236FE4F2CB2D4FE28C924D514
                                    Function 0043797E Relevance: .3, Instructions: 331COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                    • Instruction ID: 708e8454946620f186a1700387687a053fc407bd339bf74556c1f47a113f5a1a
                                    • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                    • Instruction Fuzzy Hash: 95C1C3B220D0930AEF3D4639853063FFAA15EA67B171A675ED4F2CB2D4FE18C924D614
                                    Function 00437566 Relevance: .3, Instructions: 323COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                    • Instruction ID: 79ee4f31eba35b7567f7a499d226924a3a6c1d38d98321864059dc3c63d33f3d
                                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                    • Instruction Fuzzy Hash: 76C1E6B220D0930AEF3D4639853463FBAA15EA57B171A236FD4F2CB2D4FE18C924C614
                                    Function 0041DBF3 Relevance: .3, Instructions: 277COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2e85d6dc501202f3c2e801dccf0940871ddf0a86c450432c97aa3465398b7722
                                    • Instruction ID: 096ff1c695f9ab27d4b2dbab46670c8098de74970727e2ec16deab2a6828ec1d
                                    • Opcode Fuzzy Hash: 2e85d6dc501202f3c2e801dccf0940871ddf0a86c450432c97aa3465398b7722
                                    • Instruction Fuzzy Hash: EAB1A37951429A8ACB05EF68C4913F63BA1EF6A301F0850B9EC9CCF757D2398506EB24
                                    Function 0043E34B Relevance: .2, Instructions: 237COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                    • Instruction ID: 32d6082e35155a0a096806a6943d6f48c3d67459c64856e3d931f7c23e0710f9
                                    • Opcode Fuzzy Hash: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                    • Instruction Fuzzy Hash: 59618971202709A6EE34892B88967BF63949F6D314F10342FE983DB3C1D65DDD82931E
                                    Function 0043E5A8 Relevance: .2, Instructions: 237COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                    • Instruction ID: 5d22fc1bcc5d638cf6a4a0606be4d5c4d5bba199c703cf788a7f99cafe8d65e8
                                    • Opcode Fuzzy Hash: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                    • Instruction Fuzzy Hash: 12615871602718A6DA38592B88977BF2384EB2D344F94351BE483DB3C1D75EAD43871E
                                    Function 0043E11C Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                    • Instruction ID: 6c705508b021f12d90b9f9697341ee8142861c1d23b7247138392dbd6e0aa073
                                    • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                    • Instruction Fuzzy Hash: 59517671603604A7EF3445AB85567BF63899B0E304F18395FE882C73C2C52DDE02875E
                                    Function 0043DEED Relevance: .2, Instructions: 214COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                    • Instruction ID: 84bf5d8b6cf777f915eff3509e2c27b9c7ae744ab127a35c194aadb47efed811
                                    • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                    • Instruction Fuzzy Hash: E1517761E0660557DF38892A94D67BF23A59B4E308F18351FE483CB3C2C65EEE06835E
                                    Function 00427C40 Relevance: .2, Instructions: 187COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5391bdb46e7b363b15ab8dfbfe7515acbec1a5683836347dd09947684361f79a
                                    • Instruction ID: d4d389248adab082d17fbdeb677dfbf93ddf16fcbb8c162b69e64d6cf0e33668
                                    • Opcode Fuzzy Hash: 5391bdb46e7b363b15ab8dfbfe7515acbec1a5683836347dd09947684361f79a
                                    • Instruction Fuzzy Hash: 61615B72A083059BC308DF35E481A5FB7E4AFCC718F814E2EF595D6151EA74EA08CB86
                                    Function 004387F0 Relevance: .1, Instructions: 76COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                    • Instruction ID: 582e3a7babb983407823034c482dc4f24404013c153b7f4d28c3fef3b0c68a44
                                    • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                    • Instruction Fuzzy Hash: 43113B7720034183D60CAA6DC4B45BBD795EADE320FBD627FF0414B744CA2AD4459508
                                    Function 00418EB1 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 328windowmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418ECB
                                    • CreateCompatibleDC.GDI32(00000000), ref: 00418ED8
                                      • Part of subcall function 00419360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419390
                                    • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F4E
                                    • DeleteDC.GDI32(00000000), ref: 00418F65
                                    • DeleteDC.GDI32(00000000), ref: 00418F68
                                    • DeleteObject.GDI32(00000000), ref: 00418F6B
                                    • SelectObject.GDI32(00000000,00000000), ref: 00418F8C
                                    • DeleteDC.GDI32(00000000), ref: 00418F9D
                                    • DeleteDC.GDI32(00000000), ref: 00418FA0
                                    • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418FC4
                                    • GetCursorInfo.USER32(?), ref: 00418FE2
                                    • GetIconInfo.USER32(?,?), ref: 00418FF8
                                    • DeleteObject.GDI32(?), ref: 00419027
                                    • DeleteObject.GDI32(?), ref: 00419034
                                    • DrawIcon.USER32(00000000,?,?,?), ref: 00419041
                                    • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00419077
                                    • GetObjectA.GDI32(00000000,00000018,?), ref: 004190A3
                                    • LocalAlloc.KERNEL32(00000040,00000001), ref: 00419110
                                    • GlobalAlloc.KERNEL32(00000000,?), ref: 0041917F
                                    • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004191A3
                                    • DeleteDC.GDI32(?), ref: 004191B7
                                    • DeleteDC.GDI32(00000000), ref: 004191BA
                                    • DeleteObject.GDI32(00000000), ref: 004191BD
                                    • GlobalFree.KERNEL32(?), ref: 004191C8
                                    • DeleteObject.GDI32(00000000), ref: 0041927C
                                    • GlobalFree.KERNEL32(?), ref: 00419283
                                    • DeleteDC.GDI32(?), ref: 00419293
                                    • DeleteDC.GDI32(00000000), ref: 0041929E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                                    • String ID: DISPLAY
                                    • API String ID: 4256916514-865373369
                                    • Opcode ID: 2247b608c21a3b8abac63767662b5221d2e7e1e487ff91865d3b7fb692dc0e69
                                    • Instruction ID: e1b8f987aa81746083de8242de432fb1856ba331ec6d7e725e66c1191a76d441
                                    • Opcode Fuzzy Hash: 2247b608c21a3b8abac63767662b5221d2e7e1e487ff91865d3b7fb692dc0e69
                                    • Instruction Fuzzy Hash: 64C14C71504301AFD720DF25DC48BABBBE9EB88715F04482EF98993291DB34ED45CB6A
                                    Function 0040D45B Relevance: 49.3, APIs: 6, Strings: 22, Instructions: 282registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                      • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D558
                                    • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D56B
                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D584
                                    • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D5B4
                                      • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,h&y,004752F0,?,pth_unenc), ref: 0040B8F6
                                      • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                      • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                      • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D7FF
                                    • ExitProcess.KERNEL32 ref: 0040D80B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                    • String ID: """, 0$")$@qF$@qF$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("$xKy$xdF$xpF
                                    • API String ID: 1861856835-1052535600
                                    • Opcode ID: 779bd8c3fa979e6212a70a7ec10a956c9f97f6caeed947a2cb61efc57b251fae
                                    • Instruction ID: 9f807323933333198641953f201c1fc8368d74e19fdabe041c5449f7db564f80
                                    • Opcode Fuzzy Hash: 779bd8c3fa979e6212a70a7ec10a956c9f97f6caeed947a2cb61efc57b251fae
                                    • Instruction Fuzzy Hash: 8791B0716082005AC315FB62D8529AF77A8AFD4309F10443FB64AA71E3EF7C9D49C65E
                                    Function 0041812A Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                    • GetProcAddress.KERNEL32(00000000), ref: 00418174
                                    • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                    • GetProcAddress.KERNEL32(00000000), ref: 00418188
                                    • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                    • GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                    • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                    • GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                    • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                                    • GetThreadContext.KERNEL32(?,00000000), ref: 00418280
                                    • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004182A6
                                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418328
                                    • TerminateProcess.KERNEL32(?,00000000), ref: 0041833C
                                    • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041837C
                                    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00418446
                                    • SetThreadContext.KERNEL32(?,00000000), ref: 00418463
                                    • ResumeThread.KERNEL32(?), ref: 00418470
                                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418487
                                    • GetCurrentProcess.KERNEL32(?), ref: 00418492
                                    • TerminateProcess.KERNEL32(?,00000000), ref: 004184AD
                                    • GetLastError.KERNEL32 ref: 004184B5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                    • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                    • API String ID: 4188446516-3035715614
                                    • Opcode ID: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                                    • Instruction ID: d7ba82c79e3f17b97bd8f2c1aaed993f07984c16d96ff77cb9dc1491e823fc6f
                                    • Opcode Fuzzy Hash: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                                    • Instruction Fuzzy Hash: 69A15FB0604305AFDB209F64DD85B6B7BE8FF48705F00482EF685D6291EB78D844CB59
                                    Function 0040D0D1 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 260registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                      • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E0
                                    • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1F3
                                    • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D223
                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D232
                                      • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,h&y,004752F0,?,pth_unenc), ref: 0040B8F6
                                      • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                      • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                      • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D44D
                                    • ExitProcess.KERNEL32 ref: 0040D454
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                    • String ID: ")$.vbs$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$h&y$open$pth_unenc$wend$while fso.FileExists("$xKy$xdF$xpF
                                    • API String ID: 3797177996-1541140116
                                    • Opcode ID: dd8319ffc67d1054beefb8b0b566d77839d74a362affede773f697cf057b9661
                                    • Instruction ID: f7f00373e35faeae073ffedb9d5543756e5675edee5c5b567d0d61755fae189b
                                    • Opcode Fuzzy Hash: dd8319ffc67d1054beefb8b0b566d77839d74a362affede773f697cf057b9661
                                    • Instruction Fuzzy Hash: 6181AF716082405AC315FB62D8529AF77A8AFD0308F10483FB58A671E3EF7C9E49C65E
                                    Function 004124B0 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 004124CF
                                    • ExitProcess.KERNEL32(00000000), ref: 004124DB
                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412555
                                    • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412564
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041256F
                                    • CloseHandle.KERNEL32(00000000), ref: 00412576
                                    • GetCurrentProcessId.KERNEL32 ref: 0041257C
                                    • PathFileExistsW.SHLWAPI(?), ref: 004125AD
                                    • GetTempPathW.KERNEL32(00000104,?), ref: 00412610
                                    • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041262A
                                    • lstrcatW.KERNEL32(?,.exe), ref: 0041263C
                                      • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                    • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041267C
                                    • Sleep.KERNEL32(000001F4), ref: 004126BD
                                    • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004126D2
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126DD
                                    • CloseHandle.KERNEL32(00000000), ref: 004126E4
                                    • GetCurrentProcessId.KERNEL32 ref: 004126EA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                    • String ID: .exe$WDH$exepath$open$temp_$xKy
                                    • API String ID: 2649220323-2566852731
                                    • Opcode ID: 1c913ae08a5e17ca5ba38718309b211a0371373e46d4682c3eff5b2ddab4b42e
                                    • Instruction ID: ea0e71dbd1735df2f0ffa6a76a18ae54bfb239dee3d1740714ca762960b89f4c
                                    • Opcode Fuzzy Hash: 1c913ae08a5e17ca5ba38718309b211a0371373e46d4682c3eff5b2ddab4b42e
                                    • Instruction Fuzzy Hash: 4C51C871A00215BBDB10ABA09C99EFE336D9B04715F1041ABF501E71D2EF7C8E858A5D
                                    Function 0041B0D8 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B1CD
                                    • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B1E1
                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0041B209
                                    • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B21F
                                    • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B260
                                    • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B278
                                    • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B28D
                                    • SetEvent.KERNEL32 ref: 0041B2AA
                                    • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B2BB
                                    • CloseHandle.KERNEL32 ref: 0041B2CB
                                    • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B2ED
                                    • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B2F7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                    • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                    • API String ID: 738084811-2094122233
                                    • Opcode ID: cf2f536cfb4717a724ed957876631ab1db0d8eecf55f524aebf6ef92b2d3f5f5
                                    • Instruction ID: 904a2ea9ee052b7cd0d2885f28b370526ea16529c5f4723dacad6ab52bd59ce6
                                    • Opcode Fuzzy Hash: cf2f536cfb4717a724ed957876631ab1db0d8eecf55f524aebf6ef92b2d3f5f5
                                    • Instruction Fuzzy Hash: 015193B12842056ED314B731DC96ABF779CDB80359F10053FB246621E2EF789D498AAE
                                    Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                    • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                    • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                    • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                    • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                    • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                    • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                    • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                    • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                    • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                    • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                    • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                    • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                    • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Write$Create
                                    • String ID: RIFF$WAVE$data$fmt
                                    • API String ID: 1602526932-4212202414
                                    • Opcode ID: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                    • Instruction ID: e437df56db769974f3bb03b9acf3047b6271bea3308615ff466a61b001f8e6b8
                                    • Opcode Fuzzy Hash: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                    • Instruction Fuzzy Hash: D1413F72644218BAE210DB51DD85FBB7FECEB89B50F40441AFA44D60C0E7A5E909DBB3
                                    Function 004072AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe,00000001,00407688,C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe,00000003,004076B0,h&y,00407709), ref: 004072BF
                                    • GetProcAddress.KERNEL32(00000000), ref: 004072C8
                                    • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072DD
                                    • GetProcAddress.KERNEL32(00000000), ref: 004072E0
                                    • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072F1
                                    • GetProcAddress.KERNEL32(00000000), ref: 004072F4
                                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00407305
                                    • GetProcAddress.KERNEL32(00000000), ref: 00407308
                                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00407319
                                    • GetProcAddress.KERNEL32(00000000), ref: 0040731C
                                    • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040732D
                                    • GetProcAddress.KERNEL32(00000000), ref: 00407330
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressHandleModuleProc
                                    • String ID: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                    • API String ID: 1646373207-2998074077
                                    • Opcode ID: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                    • Instruction ID: 405170eedd050388d8f538cead316ce70cca9a1d875d15a5a69166cce564cbe9
                                    • Opcode Fuzzy Hash: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                    • Instruction Fuzzy Hash: 0A0152A0E4431676D711AF7AAC44D577E9D9E41351311487BB405E2292EEBCE800CD6E
                                    Function 0040CE34 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _wcslen.LIBCMT ref: 0040CE42
                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE5B
                                    • CopyFileW.KERNEL32(C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CF0B
                                    • _wcslen.LIBCMT ref: 0040CF21
                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CFA9
                                    • CopyFileW.KERNEL32(C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe,00000000,00000000), ref: 0040CFBF
                                    • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFFE
                                    • _wcslen.LIBCMT ref: 0040D001
                                    • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040D018
                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D068
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000001), ref: 0040D086
                                    • ExitProcess.KERNEL32 ref: 0040D09D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                    • String ID: 6$C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe$del$h&y$open$xdF
                                    • API String ID: 1579085052-257406512
                                    • Opcode ID: 1f26a9a137c80f5632c92eb2222ab7f2ba6ebdcc1e6d02a5e4a10b2a6e82a7e9
                                    • Instruction ID: 98553dc1b0994f0aa09194d7cf3a18af63584d9ff732256a229fdfb73b573f5c
                                    • Opcode Fuzzy Hash: 1f26a9a137c80f5632c92eb2222ab7f2ba6ebdcc1e6d02a5e4a10b2a6e82a7e9
                                    • Instruction Fuzzy Hash: 3151E820208302ABD615B7359C92A6F679D9F8471DF00443FF60AA61E3EF7C9D05866E
                                    Function 0041C0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlenW.KERNEL32(?), ref: 0041C0C7
                                    • _memcmp.LIBVCRUNTIME ref: 0041C0DF
                                    • lstrlenW.KERNEL32(?), ref: 0041C0F8
                                    • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C133
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C146
                                    • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C18A
                                    • lstrcmpW.KERNEL32(?,?), ref: 0041C1A5
                                    • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C1BD
                                    • _wcslen.LIBCMT ref: 0041C1CC
                                    • FindVolumeClose.KERNEL32(?), ref: 0041C1EC
                                    • GetLastError.KERNEL32 ref: 0041C204
                                    • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C231
                                    • lstrcatW.KERNEL32(?,?), ref: 0041C24A
                                    • lstrcpyW.KERNEL32(?,?), ref: 0041C259
                                    • GetLastError.KERNEL32 ref: 0041C261
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                    • String ID: ?
                                    • API String ID: 3941738427-1684325040
                                    • Opcode ID: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                    • Instruction ID: 8d48ee17a24f37a9bc83e71ffc922dd471ae74eb47091415c6e266b1ff6a60c4
                                    • Opcode Fuzzy Hash: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                    • Instruction Fuzzy Hash: B541A671584316EBD720DFA0DC889DBB7ECEB84745F00092BF545D2162EB78CA88CB96
                                    Function 00412AEF Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 482sleepfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412B08
                                      • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                      • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                      • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                    • Sleep.KERNEL32(0000000A,00465E84), ref: 00412C5A
                                    • Sleep.KERNEL32(0000000A,00465E84,00465E84), ref: 00412CFC
                                    • Sleep.KERNEL32(0000000A,00465E84,00465E84,00465E84), ref: 00412D9E
                                    • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E00
                                    • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E37
                                    • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E73
                                    • Sleep.KERNEL32(000001F4,00465E84,00465E84,00465E84), ref: 00412E8D
                                    • Sleep.KERNEL32(00000064), ref: 00412ECF
                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                    • String ID: /stext "$,aF$0TG$0TG$NG$NG
                                    • API String ID: 1223786279-4119708859
                                    • Opcode ID: eaa82bcfc7eecefdd05ab97e79a0612f1416c02065666deff46019d408466eaa
                                    • Instruction ID: 10d3359c81a21c2239512d2238f4034584c87ebec4848cfd83014516dee20f06
                                    • Opcode Fuzzy Hash: eaa82bcfc7eecefdd05ab97e79a0612f1416c02065666deff46019d408466eaa
                                    • Instruction Fuzzy Hash: 2F0268315083414AC325FB62D891AEFB3E5AFD4348F50483FF58A931E2EF785A49C65A
                                    Function 0044F4AD Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$EnvironmentVariable$_wcschr
                                    • String ID:
                                    • API String ID: 3899193279-0
                                    • Opcode ID: 28687395a6aa2078608bd89f57b343956b66557142a9620950dd617db5e8e69e
                                    • Instruction ID: 2409d22e097b45b84bdb59948eb4ebc1cd1141af37d2d18b4001dba56dac1aed
                                    • Opcode Fuzzy Hash: 28687395a6aa2078608bd89f57b343956b66557142a9620950dd617db5e8e69e
                                    • Instruction Fuzzy Hash: E3D135B1D003006FFB24AF799D82A6B7BA8EF01314F05417FE945A7382EB7D99098759
                                    Function 00408BB5 Relevance: 23.1, APIs: 8, Strings: 5, Instructions: 328fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408D1E
                                    • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D56
                                    • __aulldiv.LIBCMT ref: 00408D88
                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                      • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                    • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408EAB
                                    • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408EC6
                                    • CloseHandle.KERNEL32(00000000), ref: 00408F9F
                                    • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FE9
                                    • CloseHandle.KERNEL32(00000000), ref: 00409037
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                    • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $xdF$NG
                                    • API String ID: 3086580692-3944908133
                                    • Opcode ID: 4862477fdb9952e5eeaa3378eb83c1e6897d22439acc3b3fc52933e10b919cae
                                    • Instruction ID: 3fce176daff91a8ac67d7e00268aa6ddaa8eb0a69c3dc15cdf5b3728eb075172
                                    • Opcode Fuzzy Hash: 4862477fdb9952e5eeaa3378eb83c1e6897d22439acc3b3fc52933e10b919cae
                                    • Instruction Fuzzy Hash: CCB1A1316083409BC314FB26C941AAFB7E5AFC4358F40492FF589622D2EF789945CB8B
                                    Function 0041D620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D66B
                                    • GetCursorPos.USER32(?), ref: 0041D67A
                                    • SetForegroundWindow.USER32(?), ref: 0041D683
                                    • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D69D
                                    • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D6EE
                                    • ExitProcess.KERNEL32 ref: 0041D6F6
                                    • CreatePopupMenu.USER32 ref: 0041D6FC
                                    • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D711
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                    • String ID: Close
                                    • API String ID: 1657328048-3535843008
                                    • Opcode ID: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                    • Instruction ID: ffebe08b42ddc2cad69fc5dc181b4667ce265f065f51bc56e4a7814a85689449
                                    • Opcode Fuzzy Hash: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                    • Instruction Fuzzy Hash: 2D213BB1544209FFDF155FA4ED0EAAA3F35EB08302F000125F909951B2D779EDA1EB19
                                    Function 00445DD7 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$Info
                                    • String ID:
                                    • API String ID: 2509303402-0
                                    • Opcode ID: 6f6fc0ac27b4b2f00b1102b51bee0220b0be09f2ed36c41455f2b0a14b53fe9c
                                    • Instruction ID: 03d8b0dccc9171d7b4ee81f85837dfa1205ba0d7832ce976ccf3d084d520ac26
                                    • Opcode Fuzzy Hash: 6f6fc0ac27b4b2f00b1102b51bee0220b0be09f2ed36c41455f2b0a14b53fe9c
                                    • Instruction Fuzzy Hash: AFB1CE719002059FEB21DF69C881BEEBBF4BF09304F15842EF495A7242DB79AC458B69
                                    Function 0040D83A Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 148COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                      • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                      • Part of subcall function 00413733: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 0041374F
                                      • Part of subcall function 00413733: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                                      • Part of subcall function 00413733: RegCloseKey.KERNEL32(00000000), ref: 00413773
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D894
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D9F3
                                    • ExitProcess.KERNEL32 ref: 0040D9FF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                    • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open$xKy$xdF
                                    • API String ID: 1913171305-2187561404
                                    • Opcode ID: 8bbe4f0fb6c88a2abc4eeafe0384b11dbe09999f44ef1c7605111127e7698097
                                    • Instruction ID: 6f299f75ad759bd4c56b3f4cab90e5e1fe41ff60d22e8747b975e3d2bb757992
                                    • Opcode Fuzzy Hash: 8bbe4f0fb6c88a2abc4eeafe0384b11dbe09999f44ef1c7605111127e7698097
                                    • Instruction Fuzzy Hash: 9B4129719001155ACB15FBA2DC56DEEB778AF50709F10017FB10AB21E2FF785E8ACA98
                                    Function 00414DC1 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 109libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                    • LoadLibraryA.KERNEL32(?), ref: 00414E52
                                    • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                    • FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                    • LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                    • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                    • FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                    • FreeLibrary.KERNEL32(00000000), ref: 00414EF0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                    • String ID: \ws2_32$\wship6$getaddrinfo
                                    • API String ID: 2490988753-3078833738
                                    • Opcode ID: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                    • Instruction ID: 3d65f6a93fba2a0b2eac8854c7d2b2934d6e6a161d7d6dc9994b6ec54a408268
                                    • Opcode Fuzzy Hash: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                    • Instruction Fuzzy Hash: 5E31C4B1905315A7D7209F65CC84DDF76DCAB84754F004A2AF944A3210D738D985CBAE
                                    Function 00451346 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___free_lconv_mon.LIBCMT ref: 0045138A
                                      • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                                      • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                                      • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                                      • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                                      • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                                      • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                                      • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                                      • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                                      • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                                      • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                                      • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                                      • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                                      • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                                    • _free.LIBCMT ref: 0045137F
                                      • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                      • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                    • _free.LIBCMT ref: 004513A1
                                    • _free.LIBCMT ref: 004513B6
                                    • _free.LIBCMT ref: 004513C1
                                    • _free.LIBCMT ref: 004513E3
                                    • _free.LIBCMT ref: 004513F6
                                    • _free.LIBCMT ref: 00451404
                                    • _free.LIBCMT ref: 0045140F
                                    • _free.LIBCMT ref: 00451447
                                    • _free.LIBCMT ref: 0045144E
                                    • _free.LIBCMT ref: 0045146B
                                    • _free.LIBCMT ref: 00451483
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                    • String ID:
                                    • API String ID: 161543041-0
                                    • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                    • Instruction ID: 2428002f6fd8eb1a99257b9b861ac38f7c05b5b97acacff09fd9d8cf260fe807
                                    • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                    • Instruction Fuzzy Hash: 403193715003009FEB20AA39D846F5B73E8EF02315F62992FE849D7662DF78AD44C729
                                    Function 0041A045 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog.LIBCMT ref: 0041A04A
                                    • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 0041A07C
                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A108
                                    • Sleep.KERNEL32(000003E8), ref: 0041A18E
                                    • GetLocalTime.KERNEL32(?), ref: 0041A196
                                    • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A285
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                    • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                                    • API String ID: 489098229-1431523004
                                    • Opcode ID: ef3a2b2680ef5ec4cf1756d8d4e3928048fec3981f722f661be4b2a60a96407b
                                    • Instruction ID: 12d64888f2a2aa40a87de1a625a26b3edd7a2139bf4817292c9f8cf1352d8a2d
                                    • Opcode Fuzzy Hash: ef3a2b2680ef5ec4cf1756d8d4e3928048fec3981f722f661be4b2a60a96407b
                                    • Instruction Fuzzy Hash: 7A517D70A002159ACB14BBB5C8529FD77A9AF54308F40407FF509AB1E2EF7C9D85C799
                                    Function 00450680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID:
                                    • API String ID: 269201875-0
                                    • Opcode ID: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                    • Instruction ID: 80ca3ff3fa16d46db3e6ae4c9b8471dba03f652ca918f9f25067e0b92ee87d4d
                                    • Opcode Fuzzy Hash: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                    • Instruction Fuzzy Hash: 30C183B6D40204ABEB20DBA9CC43FDE77F8AB09705F150166FE04EB283D6B49D459768
                                    Function 00455C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00455929: CreateFileW.KERNEL32(00000000,00000000,?,00455D04,?,?,00000000,?,00455D04,00000000,0000000C), ref: 00455946
                                    • GetLastError.KERNEL32 ref: 00455D6F
                                    • __dosmaperr.LIBCMT ref: 00455D76
                                    • GetFileType.KERNEL32(00000000), ref: 00455D82
                                    • GetLastError.KERNEL32 ref: 00455D8C
                                    • __dosmaperr.LIBCMT ref: 00455D95
                                    • CloseHandle.KERNEL32(00000000), ref: 00455DB5
                                    • CloseHandle.KERNEL32(?), ref: 00455EFF
                                    • GetLastError.KERNEL32 ref: 00455F31
                                    • __dosmaperr.LIBCMT ref: 00455F38
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                    • String ID: H
                                    • API String ID: 4237864984-2852464175
                                    • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                    • Instruction ID: 7cd045c9b8f196398d23f94ba58010557f508cd7b58f44c29b3e784ccbbfb847
                                    • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                    • Instruction Fuzzy Hash: 44A14532A106049FDF19AF68DC657BE3BA0EB06325F24015EEC11AB392D6398D1AC759
                                    Function 00450AA5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID: \&G$\&G$`&G
                                    • API String ID: 269201875-253610517
                                    • Opcode ID: d7fd4124445081cfc97c5454a1c142f1a87d4c625925bb8ca3a98cb7b9f8d762
                                    • Instruction ID: 59c4f5d9f803fa3be21c2588ad204ea2c1e8261bb9e1a4607c4596bf86990b35
                                    • Opcode Fuzzy Hash: d7fd4124445081cfc97c5454a1c142f1a87d4c625925bb8ca3a98cb7b9f8d762
                                    • Instruction Fuzzy Hash: 86610E75900205AFDB21DF69C842B9ABBF4EF06710F24426BED44EB242E774AD45CB58
                                    Function 00414BEB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 65535$udp
                                    • API String ID: 0-1267037602
                                    • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                    • Instruction ID: a9902b4e2b63063b067a15c036b171ad6d3a8658db747517b03e91dd9f9ead29
                                    • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                    • Instruction Fuzzy Hash: FB51D431605301ABDB609B14E905BFB77E8ABC5754F08042FF88597390E76CCCC1969E
                                    Function 0041697B Relevance: 17.5, APIs: 8, Strings: 2, Instructions: 46clipboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenClipboard.USER32 ref: 0041697C
                                    • EmptyClipboard.USER32 ref: 0041698A
                                    • CloseClipboard.USER32 ref: 00416990
                                    • OpenClipboard.USER32 ref: 00416997
                                    • GetClipboardData.USER32(0000000D), ref: 004169A7
                                    • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                    • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                    • CloseClipboard.USER32 ref: 004169BF
                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                    • String ID: !D@$xdF
                                    • API String ID: 2172192267-3540039394
                                    • Opcode ID: 8fa10aa376ebaf25ee3630a4794345ebfab9a0a2ea110666d712cf94ba17d34f
                                    • Instruction ID: c3dc955394dadbf9cb8fa72aed918e4e170398eafb94270add22466952777bd7
                                    • Opcode Fuzzy Hash: 8fa10aa376ebaf25ee3630a4794345ebfab9a0a2ea110666d712cf94ba17d34f
                                    • Instruction Fuzzy Hash: AA014C31204301EFC714BB72DC49AAE7BA5AF88742F40047EF906861E2DF388C45C659
                                    Function 0043A8BA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A912
                                    • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A91F
                                    • __dosmaperr.LIBCMT ref: 0043A926
                                    • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A952
                                    • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A95C
                                    • __dosmaperr.LIBCMT ref: 0043A963
                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A9A6
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A9B0
                                    • __dosmaperr.LIBCMT ref: 0043A9B7
                                    • _free.LIBCMT ref: 0043A9C3
                                    • _free.LIBCMT ref: 0043A9CA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                    • String ID:
                                    • API String ID: 2441525078-0
                                    • Opcode ID: 9262cdba7b4adcfb063e64ce379082e8e02018adb4241b1373288f504c0df5cf
                                    • Instruction ID: 3a2165a63a30732921e8d6571a772c998230e0148124485b419b79488018c54b
                                    • Opcode Fuzzy Hash: 9262cdba7b4adcfb063e64ce379082e8e02018adb4241b1373288f504c0df5cf
                                    • Instruction Fuzzy Hash: 8631D5B180420AFBDF01AFA5CC45EAF3B6CEF09324F11451AF950662A1DB38CD61DB66
                                    Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetEvent.KERNEL32(?,?), ref: 004054BF
                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                    • TranslateMessage.USER32(?), ref: 0040557E
                                    • DispatchMessageA.USER32(?), ref: 00405589
                                    • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                    • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                    • String ID: CloseChat$DisplayMessage$GetMessage
                                    • API String ID: 2956720200-749203953
                                    • Opcode ID: 8c225f4e52fa57ef03bd87e8a2b9ac96435b00f85c6a61808b6753be032c1736
                                    • Instruction ID: d37e718accd843302ceacc2187c81124e04698433963f5de03abd71ab6b9016f
                                    • Opcode Fuzzy Hash: 8c225f4e52fa57ef03bd87e8a2b9ac96435b00f85c6a61808b6753be032c1736
                                    • Instruction Fuzzy Hash: 39419071A04301ABCB14FB76DC5A86F37A9AB85704F40493EF516A31E1EF3C8905CB9A
                                    Function 00413D48 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 135registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D81
                                      • Part of subcall function 00413A90: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                      • Part of subcall function 00413A90: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                    • RegCloseKey.ADVAPI32(00000000,004660B4,004660B4,00466478,00466478,00000071), ref: 00413EEF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEnumInfoOpenQuerysend
                                    • String ID: (aF$,aF$xUG$xdF$NG$NG$TG
                                    • API String ID: 3114080316-4028018678
                                    • Opcode ID: 3fb4b6dc986a23466442fc4131dd13dcbc317708c85a7ea8f8e2c569672bf7b6
                                    • Instruction ID: 39136fa66a1b3d14a29046baa0c8a2124f92290552efa608aac098e6c3039c27
                                    • Opcode Fuzzy Hash: 3fb4b6dc986a23466442fc4131dd13dcbc317708c85a7ea8f8e2c569672bf7b6
                                    • Instruction Fuzzy Hash: 03419F316042005AC324F726D852AEF76A99FD1384F40883FF549671D2EF7C5949866E
                                    Function 00417D1A Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00417F67: __EH_prolog.LIBCMT ref: 00417F6C
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 00417E17
                                    • CloseHandle.KERNEL32(00000000), ref: 00417E20
                                    • DeleteFileA.KERNEL32(00000000), ref: 00417E2F
                                    • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DE3
                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                    • String ID: 0VG$0VG$<$@$Temp
                                    • API String ID: 1704390241-2575729100
                                    • Opcode ID: 2d576fcb946d6f01edb727822a5e6d620b667b1b28aa3a8afe43313f29a435af
                                    • Instruction ID: 01f79aac078c9204ae4226344def03f9678a0966abb138ad227abf0e83d93267
                                    • Opcode Fuzzy Hash: 2d576fcb946d6f01edb727822a5e6d620b667b1b28aa3a8afe43313f29a435af
                                    • Instruction Fuzzy Hash: 18417E319002099ACB14FB62DC56AEE7735AF00318F50417EF50A761E1EF7C5A8ACB99
                                    Function 00410E9C Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00410EA9
                                    • int.LIBCPMT ref: 00410EBC
                                      • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                      • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                    • std::_Facet_Register.LIBCPMT ref: 00410EFC
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00410F05
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00410F23
                                    • __Init_thread_footer.LIBCMT ref: 00410F64
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                    • String ID: ,kG$0kG$@!G
                                    • API String ID: 3815856325-312998898
                                    • Opcode ID: 234cc645e6f2b623d94fc8cb2d29f52bc734eee13d30ec18b0bfe81019bed365
                                    • Instruction ID: 6b7561e6e5701aa818233467e21ea388c72e3112cb5a37ed7db11c94fdfc7bf8
                                    • Opcode Fuzzy Hash: 234cc645e6f2b623d94fc8cb2d29f52bc734eee13d30ec18b0bfe81019bed365
                                    • Instruction Fuzzy Hash: 682129329005249BCB14FB6AD8429DE77A9DF48324F21416FF404E72D1DFB9AD818B9D
                                    Function 0041AB9E Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABAD
                                    • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABC4
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABD1
                                    • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABE0
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF1
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ControlManager
                                    • String ID:
                                    • API String ID: 221034970-0
                                    • Opcode ID: 096e2c87fc6c65f47e4c6c752a7259066b900e282f660f6c8049b8ab8b72f741
                                    • Instruction ID: a7ddf6af562b27afc3fdb57d9320cc893b1711f81dd6882f7bac22400d97ef93
                                    • Opcode Fuzzy Hash: 096e2c87fc6c65f47e4c6c752a7259066b900e282f660f6c8049b8ab8b72f741
                                    • Instruction Fuzzy Hash: 1411E931501218BFD711AF64DC85CFF3B6CDB41B66B000426FA0692191EB689D46AAFA
                                    Function 004481A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 004481B5
                                      • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                      • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                    • _free.LIBCMT ref: 004481C1
                                    • _free.LIBCMT ref: 004481CC
                                    • _free.LIBCMT ref: 004481D7
                                    • _free.LIBCMT ref: 004481E2
                                    • _free.LIBCMT ref: 004481ED
                                    • _free.LIBCMT ref: 004481F8
                                    • _free.LIBCMT ref: 00448203
                                    • _free.LIBCMT ref: 0044820E
                                    • _free.LIBCMT ref: 0044821C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                    • Instruction ID: 68a5115f29dd4dda1e04096f5587add38bc33a27c3b2fba9646c6a67a64c999e
                                    • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                    • Instruction Fuzzy Hash: AA11E9B6901108BFDB01FF55C852CDD3B65FF05354B0244AAF9488F222DB75DE509B95
                                    Function 00411530 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Eventinet_ntoa
                                    • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                    • API String ID: 3578746661-3604713145
                                    • Opcode ID: 731455562cd3e06d24003bf17cee23019a09392f9bbf05f4076e4243289060f9
                                    • Instruction ID: 5b49fc9f60f15aadef5e91219dcc0d557585a55aed20fbc46105045b647f8dc0
                                    • Opcode Fuzzy Hash: 731455562cd3e06d24003bf17cee23019a09392f9bbf05f4076e4243289060f9
                                    • Instruction Fuzzy Hash: 5351D531A042015BC714FB36D95AAAE36A5AB84344F40453FFA06676F2EF7C8985C7CE
                                    Function 004174D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417530
                                      • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                    • Sleep.KERNEL32(00000064), ref: 0041755C
                                    • DeleteFileW.KERNEL32(00000000), ref: 00417590
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CreateDeleteExecuteShellSleep
                                    • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                    • API String ID: 1462127192-2001430897
                                    • Opcode ID: 8090b2f4041f96567b3b7adde4f4e3da2ccf834a7cb6d2ec55bf58c444d150ed
                                    • Instruction ID: 6598d36db715e58345e35b35962d03aab6dacf30af49f41f33489dbeb2d48940
                                    • Opcode Fuzzy Hash: 8090b2f4041f96567b3b7adde4f4e3da2ccf834a7cb6d2ec55bf58c444d150ed
                                    • Instruction Fuzzy Hash: 17313F71940119AADB04FB61DC96DED7735AF50309F00017EF606731E2EF785A8ACA9C
                                    Function 004073E7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00472B14,00000000,?,00003000,00000004,00000000,00000001), ref: 00407418
                                    • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407691,C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe), ref: 004074D9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CurrentProcess
                                    • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                    • API String ID: 2050909247-4242073005
                                    • Opcode ID: c959bd930998c8f390064940774d0a1512e2843fb7eeb626fe9b06c6253c3d56
                                    • Instruction ID: c8d37550e6f1e63eabf3c93e4c9511e0cbcdb01d3c289a22ccdf2b55afca88d7
                                    • Opcode Fuzzy Hash: c959bd930998c8f390064940774d0a1512e2843fb7eeb626fe9b06c6253c3d56
                                    • Instruction Fuzzy Hash: DE317EB1A44300ABD314EF65DD46F1677B8BB04705F10087EF509A6692EBB8B8458B6F
                                    Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                    Download Yara Rule
                                    APIs
                                    • _strftime.LIBCMT ref: 00401D50
                                      • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                    • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                                    • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                    • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                    • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                    • API String ID: 3809562944-243156785
                                    • Opcode ID: 272d9e95f202b5b87e8d6f02197a65f7d4795c5aee8df22827821352ca84ba3d
                                    • Instruction ID: 12771182903f202c4b9d99511a6abf0f0559d076e6e3c56183b1657b5f9df8bc
                                    • Opcode Fuzzy Hash: 272d9e95f202b5b87e8d6f02197a65f7d4795c5aee8df22827821352ca84ba3d
                                    • Instruction Fuzzy Hash: AA318F315043019FC324EB22DC56A9E77A8FB84315F40443EF189A21F2EFB89A49CB5E
                                    Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                    • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                                    • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                    • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                    • waveInStart.WINMM ref: 00401CFE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                    • String ID: dMG$|MG$PG
                                    • API String ID: 1356121797-532278878
                                    • Opcode ID: 6aa69cd6a01d0fe2356010249b9bd36d42245e4d7c734ee1dd99acc2b44a8f66
                                    • Instruction ID: 1e392cdedf79dd274444ae0cc0b76d6cc185fd36309c60cea9b16e967c73269b
                                    • Opcode Fuzzy Hash: 6aa69cd6a01d0fe2356010249b9bd36d42245e4d7c734ee1dd99acc2b44a8f66
                                    • Instruction Fuzzy Hash: 51212A71604201AFC7399F66EE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                    Function 0041D4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D507
                                      • Part of subcall function 0041D5A0: RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                      • Part of subcall function 0041D5A0: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                      • Part of subcall function 0041D5A0: GetLastError.KERNEL32 ref: 0041D611
                                    • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D53E
                                    • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D558
                                    • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D56E
                                    • TranslateMessage.USER32(?), ref: 0041D57A
                                    • DispatchMessageA.USER32(?), ref: 0041D584
                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D591
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                    • String ID: Remcos
                                    • API String ID: 1970332568-165870891
                                    • Opcode ID: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                    • Instruction ID: 0a96d410cd687733bc2db9baaca44b2a156926270a6f860d3af68fdb0bcdced8
                                    • Opcode Fuzzy Hash: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                    • Instruction Fuzzy Hash: CA0152B1840244EBD7109FA5EC4CFABBB7CEBC5705F00406AF515931A1D778D885CB58
                                    Function 0041CE2C Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 48memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • AllocConsole.KERNEL32(xKy), ref: 0041CE35
                                    • GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                    • ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                    • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Console$Window$AllocOutputShow
                                    • String ID: Remcos v$5.1.2 Pro$CONOUT$$xKy
                                    • API String ID: 4067487056-1079892433
                                    • Opcode ID: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                    • Instruction ID: 6efa3de70d430de9448838496adf33c47162c0890a3ad1875f095e209401f165
                                    • Opcode Fuzzy Hash: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                    • Instruction Fuzzy Hash: A90144B1A80304BBD610F7F19C8BF9E77AC9B14B05F500527BA04A70D2EB6DD944466E
                                    Function 0044CE00 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2617abffa626f75de14076698c196880abdc2722d48b4afa90194addc5c06332
                                    • Instruction ID: c312da418a410335279f0cc1971bad4557be7deeadefc114a47e367d78dfde09
                                    • Opcode Fuzzy Hash: 2617abffa626f75de14076698c196880abdc2722d48b4afa90194addc5c06332
                                    • Instruction Fuzzy Hash: 94C1FA70D04249AFEF11DFA8CC41BAE7BB0AF09304F19415AE915A7392C77C9941CB69
                                    Function 00453E03 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCPInfo.KERNEL32(?,?), ref: 00453EAF
                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00453F32
                                    • __alloca_probe_16.LIBCMT ref: 00453F6A
                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00453FC5
                                    • __alloca_probe_16.LIBCMT ref: 00454014
                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00453FDC
                                      • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00454058
                                    • __freea.LIBCMT ref: 00454083
                                    • __freea.LIBCMT ref: 0045408F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                    • String ID:
                                    • API String ID: 201697637-0
                                    • Opcode ID: 38c45374c982bab9fdca9225a0eff17244eb70fd61b25fca2b6ccb3a02645299
                                    • Instruction ID: 957693029e8655488503f3238c5b69ab87e72ad781d0cd1ca1c521277c14990f
                                    • Opcode Fuzzy Hash: 38c45374c982bab9fdca9225a0eff17244eb70fd61b25fca2b6ccb3a02645299
                                    • Instruction Fuzzy Hash: 2B91D472E002069BDB208E65C846EEFBBF59F49756F14051BED00EB282D73DCD898769
                                    Function 004451FA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                      • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                      • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                      • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                    • _memcmp.LIBVCRUNTIME ref: 004454A4
                                    • _free.LIBCMT ref: 00445515
                                    • _free.LIBCMT ref: 0044552E
                                    • _free.LIBCMT ref: 00445560
                                    • _free.LIBCMT ref: 00445569
                                    • _free.LIBCMT ref: 00445575
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorLast$_abort_memcmp
                                    • String ID: C
                                    • API String ID: 1679612858-1037565863
                                    • Opcode ID: cea386491646d7d3f1b23945ae788b4f36899b89ad91b0431e936bcc0a348579
                                    • Instruction ID: c5fa7cd4a0def74fccfc383a36f0c71fd12082b8797d706f49daa7c6421ebafc
                                    • Opcode Fuzzy Hash: cea386491646d7d3f1b23945ae788b4f36899b89ad91b0431e936bcc0a348579
                                    • Instruction Fuzzy Hash: D4B13775A016199FEB24DF18C885BAEB7B4FF48304F5085EAE809A7351E774AE90CF44
                                    Function 00414945 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: tcp$udp
                                    • API String ID: 0-3725065008
                                    • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                    • Instruction ID: 4fb2fbaa1818e082f2863e0a7c91e4ace7fe62ed23b491eff3584b955907a2f3
                                    • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                    • Instruction Fuzzy Hash: FC7197706083028FDB248F55D4817ABB7E4AFC8355F20482FF88697351E778DE858B9A
                                    Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __Init_thread_footer.LIBCMT ref: 004018BE
                                    • ExitThread.KERNEL32 ref: 004018F6
                                    • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                                      • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                    • String ID: PkG$XMG$NG$NG
                                    • API String ID: 1649129571-3151166067
                                    • Opcode ID: 0f64698b943d044e9c44b40061bc22dc02fae1423900d42594b13ca127a5eeee
                                    • Instruction ID: 94ec9d015e3317cd6a1a8c0f3f0e5257b1b149af30ff9c9aaa6ade548e88cebb
                                    • Opcode Fuzzy Hash: 0f64698b943d044e9c44b40061bc22dc02fae1423900d42594b13ca127a5eeee
                                    • Instruction Fuzzy Hash: 7441D5312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D4AC71D
                                    Function 0040799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FB4,?,00000000,00408037,00000000), ref: 00407A00
                                    • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A48
                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                    • CloseHandle.KERNEL32(00000000,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A88
                                    • MoveFileW.KERNEL32(00000000,00000000), ref: 00407AA5
                                    • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AD0
                                    • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AE0
                                      • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
                                      • Part of subcall function 00404B96: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                    • String ID: .part
                                    • API String ID: 1303771098-3499674018
                                    • Opcode ID: 574ce09f97f532c6649a1055b4b6b44f95d16ded907ae16722569cd649f46737
                                    • Instruction ID: fa021c15c5d1e87e569c09a19ead990ccf19330fc060556597d24b4305e87d8f
                                    • Opcode Fuzzy Hash: 574ce09f97f532c6649a1055b4b6b44f95d16ded907ae16722569cd649f46737
                                    • Instruction Fuzzy Hash: 3A31B571508345AFC310EB61D84599FB3A8FF94359F00493FB945A21D2EB78EE08CB9A
                                    Function 0040729B Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 40COMMON
                                    Download Yara Rule
                                    Strings
                                    • Rmc-RZH5WZ, xrefs: 00407715
                                    • xdF, xrefs: 004076E4
                                    • C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe, xrefs: 004076FF
                                    • h&y, xrefs: 004076DF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe$Rmc-RZH5WZ$h&y$xdF
                                    • API String ID: 0-3215469600
                                    • Opcode ID: 76fb36a6468107bc6bcf7edae7d85ad02bbabba37b75d9201cd6870646e6a122
                                    • Instruction ID: 5ffff352cfcc2e87221e4fa572a01d73507d198e899e6baa5594ec663d9dd15d
                                    • Opcode Fuzzy Hash: 76fb36a6468107bc6bcf7edae7d85ad02bbabba37b75d9201cd6870646e6a122
                                    • Instruction Fuzzy Hash: 8DF02BB0E04600EBCB1477345D296AA3656A780397F40487BF507EB2F2EBBD5C41871E
                                    Function 0044ACC9 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044AD23
                                    • __alloca_probe_16.LIBCMT ref: 0044AD5B
                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044ADA9
                                    • __alloca_probe_16.LIBCMT ref: 0044AE40
                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AEA3
                                    • __freea.LIBCMT ref: 0044AEB0
                                      • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                    • __freea.LIBCMT ref: 0044AEB9
                                    • __freea.LIBCMT ref: 0044AEDE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                    • String ID:
                                    • API String ID: 3864826663-0
                                    • Opcode ID: fdde0a3fba0e2e79fb92f6962f835a9100c7e8c667bc286140aaf21858552f70
                                    • Instruction ID: de232b2c18f644b0009b05ef7aad101f1c584e700cc6948cb3d999d9ae9be8cc
                                    • Opcode Fuzzy Hash: fdde0a3fba0e2e79fb92f6962f835a9100c7e8c667bc286140aaf21858552f70
                                    • Instruction Fuzzy Hash: 41514C72A80206AFFB258F64CC41EBF77A9DB44750F25462EFC14D7240EB38DC60869A
                                    Function 004199DB Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendInput.USER32 ref: 00419A25
                                    • SendInput.USER32(00000001,?,0000001C,00000000), ref: 00419A4D
                                    • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A74
                                    • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A92
                                    • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AB2
                                    • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AD7
                                    • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AF9
                                    • SendInput.USER32(00000001,00000000,0000001C), ref: 00419B1C
                                      • Part of subcall function 004199CE: MapVirtualKeyA.USER32(00000000,00000000), ref: 004199D4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: InputSend$Virtual
                                    • String ID:
                                    • API String ID: 1167301434-0
                                    • Opcode ID: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                    • Instruction ID: b6cba15de7ba168fc32b54cb564de1fb898aed6d56f2455a0f9f7e0387a20004
                                    • Opcode Fuzzy Hash: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                    • Instruction Fuzzy Hash: 2431AE71218349A9E220DFA5DC41BDFBBECAF89B44F04080FF58457291CAA49D8C876B
                                    Function 004475F1 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __freea$__alloca_probe_16_free
                                    • String ID: a/p$am/pm$h{D
                                    • API String ID: 2936374016-2303565833
                                    • Opcode ID: f278f6ccdddd9c8957b45727c0f983370dbb743190d53240140d279861cd7d37
                                    • Instruction ID: c225e1f32c331ede1d29eb10815d0f52c76e58365e66366979e06629ded2ae5c
                                    • Opcode Fuzzy Hash: f278f6ccdddd9c8957b45727c0f983370dbb743190d53240140d279861cd7d37
                                    • Instruction Fuzzy Hash: 94D1E1719082068AFB299F68C845ABFB7B1EF05300F28455BE501AB351D73D9E43CBA9
                                    Function 00444D7C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                    • _free.LIBCMT ref: 00444E87
                                    • _free.LIBCMT ref: 00444E9E
                                    • _free.LIBCMT ref: 00444EBD
                                    • _free.LIBCMT ref: 00444ED8
                                    • _free.LIBCMT ref: 00444EEF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$AllocateHeap
                                    • String ID: KED
                                    • API String ID: 3033488037-2133951994
                                    • Opcode ID: 608df991a786fcfe36087b9db06c0af1d3846aff496c4c9c780995c6b43937c3
                                    • Instruction ID: 6eb5fd97c930506827bd935ec23fdf2bd7e2f8155051dcdfd38a61b70e77380a
                                    • Opcode Fuzzy Hash: 608df991a786fcfe36087b9db06c0af1d3846aff496c4c9c780995c6b43937c3
                                    • Instruction Fuzzy Hash: 2351B371A00604ABEB20DF29CC42B6B77F4FF89724B25456EE809D7751E739E901CB98
                                    Function 00413A90 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                    • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413BC6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Enum$InfoQueryValue
                                    • String ID: [regsplt]$xUG$TG
                                    • API String ID: 3554306468-1165877943
                                    • Opcode ID: 6129f07ca8e649aa684d27b9dba7dc75c53e511e8a381502f1a2dc1ed25c8145
                                    • Instruction ID: 25111a67c66830bda9a991cbd11294aa9b1843c944dfd5f4caafe5fa1545c2ae
                                    • Opcode Fuzzy Hash: 6129f07ca8e649aa684d27b9dba7dc75c53e511e8a381502f1a2dc1ed25c8145
                                    • Instruction Fuzzy Hash: 05512D71900219AADB11EB95DC86EEEB77DAF04305F10007AE505B6191EF746B48CBA9
                                    Function 0044B43C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044BBB1,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B47E
                                    • __fassign.LIBCMT ref: 0044B4F9
                                    • __fassign.LIBCMT ref: 0044B514
                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B53A
                                    • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BBB1,00000000,?,?,?,?,?,?,?,?,?,0044BBB1,?), ref: 0044B559
                                    • WriteFile.KERNEL32(?,?,00000001,0044BBB1,00000000,?,?,?,?,?,?,?,?,?,0044BBB1,?), ref: 0044B592
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                    • String ID:
                                    • API String ID: 1324828854-0
                                    • Opcode ID: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                    • Instruction ID: 262f0c9efa3d8d05c94b564727faad167cb6e35c827a04fe4b8fb241bd644287
                                    • Opcode Fuzzy Hash: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                    • Instruction Fuzzy Hash: 2151B470A00249AFDB10CFA8D845AEEFBF8EF09304F14456BE955E7291E734D941CBA9
                                    Function 0040BF24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                      • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                      • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                    • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BFA6
                                    • PathFileExistsA.SHLWAPI(?), ref: 0040BFB3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                    • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                    • API String ID: 1133728706-4073444585
                                    • Opcode ID: e02571ccf1d8d7642eb7522d4ecac0f64e4039cdab1393baceb5a006cb27889d
                                    • Instruction ID: a06d8339010b4a31413dea3cf8b7af81beee50618fccc2c871009a62ab4f9f33
                                    • Opcode Fuzzy Hash: e02571ccf1d8d7642eb7522d4ecac0f64e4039cdab1393baceb5a006cb27889d
                                    • Instruction Fuzzy Hash: BC215230A40219A6CB14F7F1CC969EE77299F50744F80017FE502B71D1EB7D6945C6DA
                                    Function 00456BD3 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f00b1ad24c7174d2716471ab0982682010261559510d9071992da7a4292711ea
                                    • Instruction ID: d4e598e7927038c57750db0ba161657e9615562456f8c919f0676739ef068bdb
                                    • Opcode Fuzzy Hash: f00b1ad24c7174d2716471ab0982682010261559510d9071992da7a4292711ea
                                    • Instruction Fuzzy Hash: 931127B2504214BBEB216F768C05D1F7A5CEB86726B52062EFD55C7292DA3CCC0186A8
                                    Function 0041B411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B438
                                    • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B44E
                                    • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B467
                                    • InternetCloseHandle.WININET(00000000), ref: 0041B4AD
                                    • InternetCloseHandle.WININET(00000000), ref: 0041B4B0
                                    Strings
                                    • http://geoplugin.net/json.gp, xrefs: 0041B448
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseHandleOpen$FileRead
                                    • String ID: http://geoplugin.net/json.gp
                                    • API String ID: 3121278467-91888290
                                    • Opcode ID: ab2cbc20b1a026a18eeb93cbadf4ab6921f31ebf631c8869f851e8b96143ecd1
                                    • Instruction ID: e320c318363c88f1c040182635621d8729538b68a2f0080144892bf513bd3cc2
                                    • Opcode Fuzzy Hash: ab2cbc20b1a026a18eeb93cbadf4ab6921f31ebf631c8869f851e8b96143ecd1
                                    • Instruction Fuzzy Hash: 011198311053126BD224AB269C49EBF7F9CEF86765F10043EF945A2282DB689C44C6FA
                                    Function 00450F7A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00450CC1: _free.LIBCMT ref: 00450CEA
                                    • _free.LIBCMT ref: 00450FC8
                                      • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                      • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                    • _free.LIBCMT ref: 00450FD3
                                    • _free.LIBCMT ref: 00450FDE
                                    • _free.LIBCMT ref: 00451032
                                    • _free.LIBCMT ref: 0045103D
                                    • _free.LIBCMT ref: 00451048
                                    • _free.LIBCMT ref: 00451053
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                    • Instruction ID: 345e916fd15b447c36d88a7a8914fd19e4c3e0710e9d23c2e9f19f8556552687
                                    • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                    • Instruction Fuzzy Hash: C111D231402704AAE621BB72CC03FCB779CAF03304F454D2EBEA967153C7ACB4185654
                                    Function 0041119E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 004111AB
                                    • int.LIBCPMT ref: 004111BE
                                      • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                      • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                    • std::_Facet_Register.LIBCPMT ref: 004111FE
                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 00411207
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00411225
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                    • String ID: (mG
                                    • API String ID: 2536120697-4059303827
                                    • Opcode ID: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                                    • Instruction ID: b4facbf35e110c19f3eede998f69f9310dce987b63f856d60fe44c7d5fb17b17
                                    • Opcode Fuzzy Hash: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                                    • Instruction Fuzzy Hash: 42112732900114A7CB14EB9AD8018DEB7699F44364F11456FF904F72E1DB789E45CBC8
                                    Function 0043A3DA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,?,0043A3D1,0043933E), ref: 0043A3E8
                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A3F6
                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40F
                                    • SetLastError.KERNEL32(00000000,?,0043A3D1,0043933E), ref: 0043A461
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLastValue___vcrt_
                                    • String ID:
                                    • API String ID: 3852720340-0
                                    • Opcode ID: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                    • Instruction ID: 228fd8bb196f6ae1284969ba5442ea73dc67404c1df350b3d70410c0baad6fb0
                                    • Opcode Fuzzy Hash: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                    • Instruction Fuzzy Hash: 87019C322483515EA61027797C8A62B2648EB293B9F30523FF518805F1EF984C90910D
                                    Function 004075EB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                    Download Yara Rule
                                    APIs
                                    • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe), ref: 0040760B
                                      • Part of subcall function 00407538: _wcslen.LIBCMT ref: 0040755C
                                      • Part of subcall function 00407538: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                    • CoUninitialize.OLE32 ref: 00407664
                                    Strings
                                    • [+] before ShellExec, xrefs: 0040762C
                                    • [+] ShellExec success, xrefs: 00407649
                                    • [+] ucmCMLuaUtilShellExecMethod, xrefs: 004075F0
                                    • C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe, xrefs: 004075EB, 004075EE, 00407640
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: InitializeObjectUninitialize_wcslen
                                    • String ID: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                    • API String ID: 3851391207-2979268427
                                    • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                    • Instruction ID: e4e7d1672fbddd81374e29e92f863be8f9bad83f72bb7a306ddb251afa86686e
                                    • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                    • Instruction Fuzzy Hash: 4501D272B087116BE2246B65DC4AF6B3748DB41B25F11053FF901A62C1EAB9FC0146AB
                                    Function 0040BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BB18
                                    • GetLastError.KERNEL32 ref: 0040BB22
                                    Strings
                                    • UserProfile, xrefs: 0040BAE8
                                    • [Chrome Cookies not found], xrefs: 0040BB3C
                                    • [Chrome Cookies found, cleared!], xrefs: 0040BB48
                                    • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAE3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DeleteErrorFileLast
                                    • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                    • API String ID: 2018770650-304995407
                                    • Opcode ID: 40cbd1d017226246a01c6e55be9682f761922b1e96e2188b9bd7b4daff8d9f2f
                                    • Instruction ID: 5dee569c6883bfd73109a670bb68234af0f28e4caad238985ba957b2c74b96e7
                                    • Opcode Fuzzy Hash: 40cbd1d017226246a01c6e55be9682f761922b1e96e2188b9bd7b4daff8d9f2f
                                    • Instruction Fuzzy Hash: 5B01DF71A402055BCA04B7B6CC1B9BE7B24E922704B50017FF502726D6FE3E5D0986CE
                                    Function 0043AB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                    Download Yara Rule
                                    APIs
                                    • __allrem.LIBCMT ref: 0043ACE9
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD05
                                    • __allrem.LIBCMT ref: 0043AD1C
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD3A
                                    • __allrem.LIBCMT ref: 0043AD51
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD6F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                    • String ID:
                                    • API String ID: 1992179935-0
                                    • Opcode ID: 52068ab3a7cfe922dfe01ed446ba536eb0656cd97dd847f62b494b0202e28e08
                                    • Instruction ID: c7cd181284538591ee8af1586cca3d38175ba7b34bac8e5aa56d350f01832762
                                    • Opcode Fuzzy Hash: 52068ab3a7cfe922dfe01ed446ba536eb0656cd97dd847f62b494b0202e28e08
                                    • Instruction Fuzzy Hash: 5F815972A40B05ABE7209F29CC41B6FB3A99F48324F24152FF591D67C1E77CE910875A
                                    Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNEL32(00000000,0040D29D), ref: 004044C4
                                      • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: H_prologSleep
                                    • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                    • API String ID: 3469354165-3054508432
                                    • Opcode ID: d4518b23dec90b8029bbd11dcbc381dab6b02525a2c163c72b7afde7e6a7a17f
                                    • Instruction ID: df1e58e957a7578ae16e417911435538e3341edc64810737793f4aa4f8849b6c
                                    • Opcode Fuzzy Hash: d4518b23dec90b8029bbd11dcbc381dab6b02525a2c163c72b7afde7e6a7a17f
                                    • Instruction Fuzzy Hash: A751E171A042106BCA14FB369D0A66E3755ABC4748F00443FFA0A676E2DF7D8E45839E
                                    Function 00411D39 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 004117D7: SetLastError.KERNEL32(0000000D,00411D57,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 004117DD
                                    • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411D72
                                    • GetNativeSystemInfo.KERNEL32(?,0040D2DD,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411DE0
                                    • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411E04
                                      • Part of subcall function 00411CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CEE
                                    • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E4B
                                    • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E52
                                    • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F65
                                      • Part of subcall function 004120B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                                      • Part of subcall function 004120B2: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 00412129
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                    • String ID:
                                    • API String ID: 3950776272-0
                                    • Opcode ID: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                    • Instruction ID: da58ab861bd0a84ec3871346ef31e8b8814b9d9500880b3a3e1890ad13292c25
                                    • Opcode Fuzzy Hash: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                    • Instruction Fuzzy Hash: F761A270700611ABCB209F66C981BAA7BA5AF44704F14411AFF05877A2D77CE8C2CBD9
                                    Function 0044597A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __cftoe
                                    • String ID:
                                    • API String ID: 4189289331-0
                                    • Opcode ID: d4cf2da0f410fbcc7cbee81c0db44e16d3fe49bd9b5005f3a7d0ddff8059c7c7
                                    • Instruction ID: b93b8478136607885b926496a305f1bfb884a7f6acf724e610c81469f19cb9e5
                                    • Opcode Fuzzy Hash: d4cf2da0f410fbcc7cbee81c0db44e16d3fe49bd9b5005f3a7d0ddff8059c7c7
                                    • Instruction Fuzzy Hash: 2551FD72500605ABFF209B598C81EAF77A8EF45334F25421FF915A6293DB3DD900C66D
                                    Function 0041AD09 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD19
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A41F,00000000), ref: 0041AD2D
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD3A
                                    • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD6F
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD81
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD84
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                    • String ID:
                                    • API String ID: 493672254-0
                                    • Opcode ID: 465ab7c2e076ec59a8d270df8ce72ad0174e5281a4bfe7e39c5caa5367581a5e
                                    • Instruction ID: 77e668261cf9ee2bd18e5a0e87596c089765e66a1be6d3c981f75cbf7ed2a716
                                    • Opcode Fuzzy Hash: 465ab7c2e076ec59a8d270df8ce72ad0174e5281a4bfe7e39c5caa5367581a5e
                                    • Instruction Fuzzy Hash: A7016D311462157AD6111B34AC4EFFB3B6CDB02772F10032BF625965D1DA68CE8195AB
                                    Function 00448295 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                    • _free.LIBCMT ref: 004482CC
                                    • _free.LIBCMT ref: 004482F4
                                    • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                    • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                    • _abort.LIBCMT ref: 00448313
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$_free$_abort
                                    • String ID:
                                    • API String ID: 3160817290-0
                                    • Opcode ID: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                    • Instruction ID: 8d34d3ffa9a8a5ca7629c839d325bdddc3ef58a145117f7ac1d0225592351e3a
                                    • Opcode Fuzzy Hash: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                    • Instruction Fuzzy Hash: 8EF0A435101B006BF611772A6C06B6F26599BD3B69F36042FFD18962D2EF6DCC42816D
                                    Function 0041AB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB46
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB5A
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB67
                                    • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB76
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB88
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB8B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ControlManager
                                    • String ID:
                                    • API String ID: 221034970-0
                                    • Opcode ID: f94ae9c5674c9adfc346e263051d54d626d5e40d867c234dda8e9c50f9d09011
                                    • Instruction ID: 443f58cffa4f299642b313368f914f767bd977a6fac550f0ec2f38f013616b5a
                                    • Opcode Fuzzy Hash: f94ae9c5674c9adfc346e263051d54d626d5e40d867c234dda8e9c50f9d09011
                                    • Instruction Fuzzy Hash: E4F0F631541318BBD7116F259C49DFF3B6CDB45B62F000026FE0992192EB68DD4595F9
                                    Function 0041AC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC4A
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC5E
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC6B
                                    • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC7A
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8C
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ControlManager
                                    • String ID:
                                    • API String ID: 221034970-0
                                    • Opcode ID: 497ef82d1474d54709910eeaca97da118b40a23fe9dfeecc14ddd5be20b51566
                                    • Instruction ID: 80b71cf000cc834045a6d48b23744411b71cc7e49355023a2f572df053a73ec4
                                    • Opcode Fuzzy Hash: 497ef82d1474d54709910eeaca97da118b40a23fe9dfeecc14ddd5be20b51566
                                    • Instruction Fuzzy Hash: 73F0C231501218ABD611AF65AC4AEFF3B6CDB45B62F00002AFE0992192EB38CD4595E9
                                    Function 0041ACA2 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACB1
                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACC5
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACD2
                                    • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACE1
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF3
                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandle$Open$ControlManager
                                    • String ID:
                                    • API String ID: 221034970-0
                                    • Opcode ID: cf41fc214d4f8651c842d323f4a9434d7ee1c2a315675ff23975f89e6a089888
                                    • Instruction ID: 4c72e2560426042a93d841201029be6eaa37955ba2c7d49e75f16ae618c5df44
                                    • Opcode Fuzzy Hash: cf41fc214d4f8651c842d323f4a9434d7ee1c2a315675ff23975f89e6a089888
                                    • Instruction Fuzzy Hash: 85F0F631501228BBD7116F25AC49DFF3B6CDB45B62F00002AFE0992192EB38CD46A6F9
                                    Function 00415B25 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 163COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CountEventTick
                                    • String ID: !D@$,aF$NG
                                    • API String ID: 180926312-2771706352
                                    • Opcode ID: 5515c5dcfc0cb97e3f42809a32b505bea829372b22676900a79e6c84bbf45ca8
                                    • Instruction ID: 3ac9408315e1e6036cedb879f74fb80cbd33a95067926c5a5f9e9f7d680cff10
                                    • Opcode Fuzzy Hash: 5515c5dcfc0cb97e3f42809a32b505bea829372b22676900a79e6c84bbf45ca8
                                    • Instruction Fuzzy Hash: 3E51A5315082019AC724FB32D852AFF73A5AF94304F50483FF54A671E2EF3C5945C68A
                                    Function 00456C9A Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID: @^E
                                    • API String ID: 269201875-2908066071
                                    • Opcode ID: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                    • Instruction ID: 6f8591e81a910498abf0b0e408487d1c0faf04506bf4bd3dd9e850377c22d226
                                    • Opcode Fuzzy Hash: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                    • Instruction Fuzzy Hash: 34413931B00104AAEB207B7A9C4666F3AB5DF45735F570A1FFD28C7293DA7C481D426A
                                    Function 0041B71B Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 91COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00413656: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 00413678
                                      • Part of subcall function 00413656: RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                      • Part of subcall function 00413656: RegCloseKey.ADVAPI32(?), ref: 004136A0
                                      • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                      • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                    • _wcslen.LIBCMT ref: 0041B7F4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                    • String ID: .exe$http\shell\open\command$program files (x86)\$program files\
                                    • API String ID: 3286818993-4246244872
                                    • Opcode ID: 21ce8c3951ea68e9f4768855c246d238a69c4de2a44f28aaa4944944c55ea733
                                    • Instruction ID: 00334f857bbe6022557327a28fa8f115e820bd32ca6b34e50ab8c41aa79dd428
                                    • Opcode Fuzzy Hash: 21ce8c3951ea68e9f4768855c246d238a69c4de2a44f28aaa4944944c55ea733
                                    • Instruction Fuzzy Hash: 42218872A001046BDB14BAB59CD6AFE766D9B48728F10043FF505B72C3EE3C9D49426D
                                    Function 0041D5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                    • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                    • GetLastError.KERNEL32 ref: 0041D611
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ClassCreateErrorLastRegisterWindow
                                    • String ID: 0$MsgWindowClass
                                    • API String ID: 2877667751-2410386613
                                    • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                    • Instruction ID: e808ecd18ef19f47bd472c0c6462b34ef8490c58390ad3ae495a6aa035ed2a4b
                                    • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                    • Instruction Fuzzy Hash: 1F0125B1D00219ABDB00DFA5EC849EFBBBCEA08355F40453AF914A6241EB7589058AA4
                                    Function 00407790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004077D6
                                    • CloseHandle.KERNEL32(?), ref: 004077E5
                                    • CloseHandle.KERNEL32(?), ref: 004077EA
                                    Strings
                                    • C:\Windows\System32\cmd.exe, xrefs: 004077D1
                                    • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004077CC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandle$CreateProcess
                                    • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                    • API String ID: 2922976086-4183131282
                                    • Opcode ID: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                    • Instruction ID: 1887ccd63cb29ce90d3c4a9dee080bc6fb52b3336ad705aa4023eed0db3a7680
                                    • Opcode Fuzzy Hash: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                    • Instruction Fuzzy Hash: 04F09672D4029C76CB20ABD7AC0EEDF7F3CEBC5B11F00051AF904A2045DA745400CAB5
                                    Function 004433DA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 004433FA
                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044340D
                                    • FreeLibrary.KERNEL32(00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 00443430
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressFreeHandleLibraryModuleProc
                                    • String ID: CorExitProcess$mscoree.dll
                                    • API String ID: 4061214504-1276376045
                                    • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                    • Instruction ID: d7bd46dfab834bb5d48edea7818df211002af85bf4a2e706b61bd78119be3437
                                    • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                    • Instruction Fuzzy Hash: 4EF04931900208FBDB159F65DC45B9EBF74EF04753F0040A5F805A2251DB758E40CA99
                                    Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                                    • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405140
                                      • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                    • String ID: KeepAlive | Disabled
                                    • API String ID: 2993684571-305739064
                                    • Opcode ID: 79b17cb61ca097f2dd87540d91e49b40a86234966918d688794a6c742f2a43ed
                                    • Instruction ID: dc79248355977efa3495ea8e96f68553e1f2867eb32bbe7dc6984d352a193ca4
                                    • Opcode Fuzzy Hash: 79b17cb61ca097f2dd87540d91e49b40a86234966918d688794a6c742f2a43ed
                                    • Instruction Fuzzy Hash: 5DF06D71904711BBDB203B758D0AAAB7E95AB06315F0009BEF982916E2D6798C408F9A
                                    Function 0041AE51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                    • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AE83
                                    • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE91
                                    • Sleep.KERNEL32(00002710), ref: 0041AE98
                                    • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AEA1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: PlaySound$HandleLocalModuleSleepTime
                                    • String ID: Alarm triggered
                                    • API String ID: 614609389-2816303416
                                    • Opcode ID: 7392df8db2022c5dabbdd0a7ddbeb5ff2cdfd3fc416767bfd221d1b9e2b6ff7c
                                    • Instruction ID: 264e31dd7f8ae4a58c3cd97330858728e5483d82e525179ed11d996d756d41c5
                                    • Opcode Fuzzy Hash: 7392df8db2022c5dabbdd0a7ddbeb5ff2cdfd3fc416767bfd221d1b9e2b6ff7c
                                    • Instruction Fuzzy Hash: 3EE0D826A40220779A10337B6D0FD6F3D29CAC3B2570100BFFA05660C2DD540C01C6FB
                                    Function 0041CDE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CE7E), ref: 0041CDF3
                                    • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE00
                                    • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CE7E), ref: 0041CE0D
                                    • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE20
                                    Strings
                                    • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CE13
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Console$AttributeText$BufferHandleInfoScreen
                                    • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                    • API String ID: 3024135584-2418719853
                                    • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                    • Instruction ID: 3099d3b49c49d1df3d44327ff87017ee7d1b0803ff7cdb2815dc6b7c28d9377e
                                    • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                    • Instruction Fuzzy Hash: B6E04872504315E7E31027B5EC4DCAB7B7CE745613B100266FA16915D39A749C41C6B5
                                    Function 004413EA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                    • Instruction ID: 15e211ccade7fc2a5debfa8ad78d9bfa955d5b29a73147504924d067d3782226
                                    • Opcode Fuzzy Hash: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                    • Instruction Fuzzy Hash: 2771D4319012569BEB21CF55C884AFFBB75EF55310F19412BE815672A0DB78CCC1CBA8
                                    Function 0040F938 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                      • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F956
                                    • Process32FirstW.KERNEL32(00000000,?), ref: 0040F97A
                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F989
                                    • CloseHandle.KERNEL32(00000000), ref: 0040FB40
                                      • Part of subcall function 0041C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F634,00000000,?,?,xKy), ref: 0041C08B
                                      • Part of subcall function 0041C076: IsWow64Process.KERNEL32(00000000,?,?,?,xKy), ref: 0041C096
                                      • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                      • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FB31
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                    • String ID:
                                    • API String ID: 2180151492-0
                                    • Opcode ID: b612a60f51ba30386d7e6c27c988ec9eea2298f46b4f956bf04d12ed4463d939
                                    • Instruction ID: d02cab962e177bd28921c4f9a71df23b762ba7d31cecf8da060328e0f3db66c6
                                    • Opcode Fuzzy Hash: b612a60f51ba30386d7e6c27c988ec9eea2298f46b4f956bf04d12ed4463d939
                                    • Instruction Fuzzy Hash: 5F4136311083419BC325F722DC51AEFB3A5AF94305F50493EF58A921E2EF385A49C65A
                                    Function 00443E99 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID:
                                    • API String ID: 269201875-0
                                    • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                    • Instruction ID: bbec49e9ccdd5c2af131aecc9b6810ea24321c3eb42f74c08fbdd36582e243a3
                                    • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                    • Instruction Fuzzy Hash: 5F41E232E00200AFEB14DF78C881A5EB3B5EF89B18F1545AEE915EB351D735AE05CB84
                                    Function 004511AC Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92), ref: 004511F9
                                    • __alloca_probe_16.LIBCMT ref: 00451231
                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?), ref: 00451282
                                    • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?,00000002,00000000), ref: 00451294
                                    • __freea.LIBCMT ref: 0045129D
                                      • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                    • String ID:
                                    • API String ID: 313313983-0
                                    • Opcode ID: bc12763b399a6208d318c17ed7bb5e89049be1fb7aa338cc20da594798c3f730
                                    • Instruction ID: f723c28c07ecd650b398e20bb728631ced1c531215915adb10fa1f31571a6cea
                                    • Opcode Fuzzy Hash: bc12763b399a6208d318c17ed7bb5e89049be1fb7aa338cc20da594798c3f730
                                    • Instruction Fuzzy Hash: F7310331A0020AABDF249F65DC41EAF7BA5EB04701F0445AAFC08E72A2E739CC55CB94
                                    Function 00412716 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 93sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00413733: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 0041374F
                                      • Part of subcall function 00413733: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                                      • Part of subcall function 00413733: RegCloseKey.KERNEL32(00000000), ref: 00413773
                                    • Sleep.KERNEL32(00000BB8), ref: 004127B5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenQuerySleepValue
                                    • String ID: exepath$h&y$xKy$xdF
                                    • API String ID: 4119054056-1660229573
                                    • Opcode ID: abb323afdf3d65a8fcb9fe28f99c1048d11d133e5e733d2859862f82a45f57bd
                                    • Instruction ID: 51bf296395b05d3efeb7b41814c334b1d8e13e95dfba71b8de44539041ec8c28
                                    • Opcode Fuzzy Hash: abb323afdf3d65a8fcb9fe28f99c1048d11d133e5e733d2859862f82a45f57bd
                                    • Instruction Fuzzy Hash: 3521F4A1B003042BD604B6365D4AAAF724D8B80318F40897FBA56E72D3DFBC9D45826D
                                    Function 0044F3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E3
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F406
                                      • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F42C
                                    • _free.LIBCMT ref: 0044F43F
                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F44E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                    • String ID:
                                    • API String ID: 336800556-0
                                    • Opcode ID: 5500135b4103b87c343acc58efff57d349ffb1ffd5e47bf571a7f4768ca97117
                                    • Instruction ID: b6d7bf627ac8e1e23e8e90154f8049d5dc13ee9613ce4caf203d647ba434722a
                                    • Opcode Fuzzy Hash: 5500135b4103b87c343acc58efff57d349ffb1ffd5e47bf571a7f4768ca97117
                                    • Instruction Fuzzy Hash: 2401DF72602721BF37211ABB5C8DC7F6AACDEC6FA5355013AFD04D2202DE688D0691B9
                                    Function 00448319 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,00000000,00000000,0043BCD6,00000000,00000000,?,0043BD5A,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044831E
                                    • _free.LIBCMT ref: 00448353
                                    • _free.LIBCMT ref: 0044837A
                                    • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448387
                                    • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448390
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$_free
                                    • String ID:
                                    • API String ID: 3170660625-0
                                    • Opcode ID: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                    • Instruction ID: 5af5a014564f127a9d6b3613d5887cb4baea3ca98ff5bc54bcf39f1731b7af1a
                                    • Opcode Fuzzy Hash: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                    • Instruction Fuzzy Hash: 3401F936100B006BB7117A2A5C45E6F3259DBD2B75B35093FFD1892292EF7ECC02812D
                                    Function 0041C26E Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                    • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                    • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C2B9
                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2C4
                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2CC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CloseHandleOpen$FileImageName
                                    • String ID:
                                    • API String ID: 2951400881-0
                                    • Opcode ID: e1074fac5642d3b73ea46f905cbac139ffb473db2c7b30d838fbef5372722d9f
                                    • Instruction ID: 82f86893bb8475317186349f6084970b7a3011258d8579340058f5d8518f4318
                                    • Opcode Fuzzy Hash: e1074fac5642d3b73ea46f905cbac139ffb473db2c7b30d838fbef5372722d9f
                                    • Instruction Fuzzy Hash: 9C01F231680215ABD61066949C8AFA7B66C8B84756F0001ABFA08D22A2EF74CD81466A
                                    Function 00450A3C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 00450A54
                                      • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                      • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                    • _free.LIBCMT ref: 00450A66
                                    • _free.LIBCMT ref: 00450A78
                                    • _free.LIBCMT ref: 00450A8A
                                    • _free.LIBCMT ref: 00450A9C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                    • Instruction ID: 72fff71e7c38304dd33e0b5962bcef44c8ad6e5fbb3f6de42623dcf71f8de19c
                                    • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                    • Instruction Fuzzy Hash: F7F012765053006B9620EB5DE883C1773D9EA157117A68C1BF549DB652C778FCC0866C
                                    Function 004440E8 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 00444106
                                      • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                      • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                    • _free.LIBCMT ref: 00444118
                                    • _free.LIBCMT ref: 0044412B
                                    • _free.LIBCMT ref: 0044413C
                                    • _free.LIBCMT ref: 0044414D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                    • Instruction ID: 0e9c2896d1a2baf17e4b980eca3efa8a556ca0a6e45d827b59e8921ed08f8926
                                    • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                    • Instruction Fuzzy Hash: 91F03AB18025208FA731AF2DBD528053BA1A705720356853BF40C62A71C7B849C2DFDF
                                    Function 00409EDE Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyboardLayoutNameA.USER32(?), ref: 00409F0E
                                      • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                      • Part of subcall function 0041C5A6: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F96,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C5BB
                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateFileKeyboardLayoutNameconnectsend
                                    • String ID: XQG$NG$PG
                                    • API String ID: 1634807452-3565412412
                                    • Opcode ID: b2f0490ca4864a8eb0c48cf3396b1e76e79b9ec5dea5ad29cd1735cca7dae2b3
                                    • Instruction ID: 86122f73fea86c9dce3a8c8dcd7d10d1556e7c038dfd98f63e082762e027ad1b
                                    • Opcode Fuzzy Hash: b2f0490ca4864a8eb0c48cf3396b1e76e79b9ec5dea5ad29cd1735cca7dae2b3
                                    • Instruction Fuzzy Hash: 955120315082419BC328FB32D851AEFB3E5AFD4348F50493FF54AA71E2EF78594A8649
                                    Function 004434D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe,00000104), ref: 00443515
                                    • _free.LIBCMT ref: 004435E0
                                    • _free.LIBCMT ref: 004435EA
                                    Strings
                                    • C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe, xrefs: 0044350C, 00443513, 00443542, 0044357A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$FileModuleName
                                    • String ID: C:\Users\user\Desktop\17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db4eb8287.dat-decoded.exe
                                    • API String ID: 2506810119-2953952512
                                    • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                    • Instruction ID: e5efe6401a3e5f1db0e1141fbbc5a3d1caea7301f6195c2e8eaff0a3f5655f7e
                                    • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                    • Instruction Fuzzy Hash: D63193B1A00254BFEB21DF9A998199EBBF8EB84B15F10406BF40597311D6B88F41CB99
                                    Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                      • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                      • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                      • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                      • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                    • Sleep.KERNEL32(000000FA,00465E84), ref: 00404138
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                    • String ID: /sort "Visit Time" /stext "$0NG
                                    • API String ID: 368326130-3219657780
                                    • Opcode ID: dfd66daedff1ed465f69e1ec25a1149862e16772085409376d3f26b1d972e468
                                    • Instruction ID: 7a7c83aa22bf4ff3424ba87d95d637a61540eed1193ecfb54830ab602693969f
                                    • Opcode Fuzzy Hash: dfd66daedff1ed465f69e1ec25a1149862e16772085409376d3f26b1d972e468
                                    • Instruction Fuzzy Hash: 2C316371A0011956CB15FBA6DC569ED7375AF90308F00007FF60AB71E2EF785D49CA99
                                    Function 0040B783 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                    • __Init_thread_footer.LIBCMT ref: 0040B7D2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Init_thread_footer__onexit
                                    • String ID: [End of clipboard]$[Text copied to clipboard]$xdF
                                    • API String ID: 1881088180-1310280921
                                    • Opcode ID: 817b4c01eafabb62cefe08f25f435df96e29b2123a05dda1d2c5d8970e98f987
                                    • Instruction ID: 844f446031992ee5170c212df839aebd4a436c67f2956c9e8fe8aff684c3a130
                                    • Opcode Fuzzy Hash: 817b4c01eafabb62cefe08f25f435df96e29b2123a05dda1d2c5d8970e98f987
                                    • Instruction Fuzzy Hash: 30217131A102198ACB14FBA6D8929EDB375AF54318F10443FE505771D2EF786D4ACA8C
                                    Function 0041631F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                    Download Yara Rule
                                    APIs
                                    • _wcslen.LIBCMT ref: 00416330
                                      • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                      • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                      • Part of subcall function 004138B2: RegCloseKey.KERNEL32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                      • Part of subcall function 00409E1F: _wcslen.LIBCMT ref: 00409E38
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _wcslen$CloseCreateValue
                                    • String ID: !D@$okmode$PG
                                    • API String ID: 3411444782-3370592832
                                    • Opcode ID: 32b767abda9d74a658984582e830535edcfbd4fa180c3dcb91f0b96cbdeabe52
                                    • Instruction ID: 097cdf197a66b89fefcd85ce8a19d7acc75244c7017ebd4eb32b8c3ef24b572d
                                    • Opcode Fuzzy Hash: 32b767abda9d74a658984582e830535edcfbd4fa180c3dcb91f0b96cbdeabe52
                                    • Instruction Fuzzy Hash: 1E11A571B442011BDA187B32D862BBD22969F84348F80843FF546AF2E2DFBD4C51975D
                                    Function 0040C627 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0040C4FE: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                    • PathFileExistsW.SHLWAPI(00000000), ref: 0040C658
                                    • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C6C3
                                    Strings
                                    • User Data\Profile ?\Network\Cookies, xrefs: 0040C670
                                    • User Data\Default\Network\Cookies, xrefs: 0040C63E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                    • API String ID: 1174141254-1980882731
                                    • Opcode ID: 2a38480921e4d6be1d5b2529be3b715cdf247bf3a0a1df31f1585b54042120b5
                                    • Instruction ID: a3c4a2fc075df05cc4efb8d324c4514c6f5a9a9113215be8183f294a60e8cc46
                                    • Opcode Fuzzy Hash: 2a38480921e4d6be1d5b2529be3b715cdf247bf3a0a1df31f1585b54042120b5
                                    • Instruction Fuzzy Hash: 0621E27190011A96CB14FBA2DC96DEEBB7CAE50319B40053FF506B31D2EF789946C6D8
                                    Function 0040C6F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0040C561: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                    • PathFileExistsW.SHLWAPI(00000000), ref: 0040C727
                                    • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C792
                                    Strings
                                    • User Data\Profile ?\Network\Cookies, xrefs: 0040C73F
                                    • User Data\Default\Network\Cookies, xrefs: 0040C70D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                    • API String ID: 1174141254-1980882731
                                    • Opcode ID: 48aa145b66dc80a11566b4620fdd9ce13eae5fb2ee34664654c02424daf75182
                                    • Instruction ID: 531025beeaae0c5c42121d483a56170e39db3028f8febaf9efde6b64dfa31b71
                                    • Opcode Fuzzy Hash: 48aa145b66dc80a11566b4620fdd9ce13eae5fb2ee34664654c02424daf75182
                                    • Instruction Fuzzy Hash: 4821127190011A96CB04F7A2DC96CEEBB78AE50359B40013FF506B31D2EF789946C6D8
                                    Function 0040B19F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                    • wsprintfW.USER32 ref: 0040B22E
                                      • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: EventLocalTimewsprintf
                                    • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                                    • API String ID: 1497725170-1359877963
                                    • Opcode ID: 3915eab654d502a94c5a300c40617f2f32f6303039d7969e722e20a12c8e19e4
                                    • Instruction ID: 4bcbbea8953a56f0834a7592719eb704c83d71ae81c48fe005db4fd1b538d991
                                    • Opcode Fuzzy Hash: 3915eab654d502a94c5a300c40617f2f32f6303039d7969e722e20a12c8e19e4
                                    • Instruction Fuzzy Hash: 88114272404118AACB19AB96EC55CFE77BCEE48315B00012FF506A61D1FF7C5A45C6AD
                                    Function 0040AF29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                      • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                      • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                    • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040AFA9
                                    • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040AFB5
                                    • CreateThread.KERNEL32(00000000,00000000,0040A2D0,?,00000000,00000000), ref: 0040AFC1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateThread$LocalTime$wsprintf
                                    • String ID: Online Keylogger Started
                                    • API String ID: 112202259-1258561607
                                    • Opcode ID: 0fcd38e96aacb40c04b118771990cdae8bba74e61c9056a984dbcae37755a7c2
                                    • Instruction ID: 1fd114496b08e8c1d91a2f23279a740fccf8855fe00c80ef0b78f2cd7c44f0e8
                                    • Opcode Fuzzy Hash: 0fcd38e96aacb40c04b118771990cdae8bba74e61c9056a984dbcae37755a7c2
                                    • Instruction Fuzzy Hash: 2A01C4A07003193EE62076368C8BDBF7A6DCA91398F4004BFF641362C2E97D1C1586FA
                                    Function 00406A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406ABD
                                    • GetProcAddress.KERNEL32(00000000), ref: 00406AC4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: CryptUnprotectData$crypt32
                                    • API String ID: 2574300362-2380590389
                                    • Opcode ID: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                    • Instruction ID: 59ed3cbb63f31e38ea488d6bd85f24bb9ff1ce5495ed4d1509158228521d53cd
                                    • Opcode Fuzzy Hash: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                    • Instruction Fuzzy Hash: 2C01B975604216BBCB18CFAD9D449AF7BB4AB45300B00417EE956E3381DA74E9008B95
                                    Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                    • CloseHandle.KERNEL32(?), ref: 004051CA
                                    • SetEvent.KERNEL32(?), ref: 004051D9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEventHandleObjectSingleWait
                                    • String ID: Connection Timeout
                                    • API String ID: 2055531096-499159329
                                    • Opcode ID: cfa6aba80e3ab73a333b17ef678a4c224e2718187884c1035a1560e2fee3ab95
                                    • Instruction ID: b176daa04f7f78a72cd0d213bf0bcd41e0e3849ccec9e2477ca34bbc74fb9340
                                    • Opcode Fuzzy Hash: cfa6aba80e3ab73a333b17ef678a4c224e2718187884c1035a1560e2fee3ab95
                                    • Instruction Fuzzy Hash: C901F530940F00AFD7216B368D8642BBFE0EF00306704093EE68356AE2D6789800CF89
                                    Function 0040E800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                    Download Yara Rule
                                    APIs
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Exception@8Throw
                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                    • API String ID: 2005118841-1866435925
                                    • Opcode ID: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                    • Instruction ID: 287a1f786264602a2f100ba68ee8cd07dacd1bfc9ef62352ff5e55a88b78f620
                                    • Opcode Fuzzy Hash: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                    • Instruction Fuzzy Hash: 59018F626583087AEB14B697CC03FBA33685B10708F10CC3BBD01765C2EA7D6A61C66F
                                    Function 0041384F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 0041385A
                                    • RegSetValueExW.ADVAPI32(?,?,00000000,00000001,00000000,00000000,004752F0,?,0040F85E,pth_unenc,h&y), ref: 00413888
                                    • RegCloseKey.ADVAPI32(?,?,0040F85E,pth_unenc,h&y), ref: 00413893
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateValue
                                    • String ID: pth_unenc
                                    • API String ID: 1818849710-4028850238
                                    • Opcode ID: d69e82d7a202b39eabff8c6d6945ecb801863ff8e3666436e459375cd1f846cd
                                    • Instruction ID: 9133f253890910ff78e8f434c24b82038cc7026402723a24ca4ec17c3e6d8cb5
                                    • Opcode Fuzzy Hash: d69e82d7a202b39eabff8c6d6945ecb801863ff8e3666436e459375cd1f846cd
                                    • Instruction Fuzzy Hash: 15F0C271440218FBCF00AFA1EC45FEE376CEF00756F10452AF905A61A1E7759E04DA94
                                    Function 0040DFE1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFEC
                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040E02B
                                      • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 004356EC
                                      • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 00435710
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E051
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                    • String ID: bad locale name
                                    • API String ID: 3628047217-1405518554
                                    • Opcode ID: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                    • Instruction ID: 7f9ccd90240ef42149755af47b5df127ed13e8783c268b42739d505c0e35a915
                                    • Opcode Fuzzy Hash: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                    • Instruction Fuzzy Hash: 77F08131544A085AC338FA62D863DDA73B49F14358F50457FB406268D2EF78BA0CCA9D
                                    Function 00416C68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00416C82
                                    • ShowWindow.USER32(00000009), ref: 00416C9C
                                    • SetForegroundWindow.USER32 ref: 00416CA8
                                      • Part of subcall function 0041CE2C: AllocConsole.KERNEL32(xKy), ref: 0041CE35
                                      • Part of subcall function 0041CE2C: GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                      • Part of subcall function 0041CE2C: ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                      • Part of subcall function 0041CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                                    • String ID: !D@
                                    • API String ID: 186401046-604454484
                                    • Opcode ID: dddbeebbe8cb821cdc8b1c7d2847af7eb141aaddcd72dd608c7fa4ca11ce81ef
                                    • Instruction ID: 9f5213224becab59645eda34593d96b16d6ada18beeab21aaf628210512d7754
                                    • Opcode Fuzzy Hash: dddbeebbe8cb821cdc8b1c7d2847af7eb141aaddcd72dd608c7fa4ca11ce81ef
                                    • Instruction Fuzzy Hash: ECF05E70149340EAD720AB62ED45AFA7B69EB54341F01487BF909C20F2DB389C94865E
                                    Function 00416129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                    Download Yara Rule
                                    APIs
                                    • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041616B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExecuteShell
                                    • String ID: /C $cmd.exe$open
                                    • API String ID: 587946157-3896048727
                                    • Opcode ID: 16ef31fdaf301ba362d07f058173c5de43aaddf50e1ff7222e4b3bcda840a0cd
                                    • Instruction ID: 08f4dee505367bf09000beb2be63de5ecd082ae46aa0e0363999309db21c3e05
                                    • Opcode Fuzzy Hash: 16ef31fdaf301ba362d07f058173c5de43aaddf50e1ff7222e4b3bcda840a0cd
                                    • Instruction Fuzzy Hash: 5EE0C0B0204305ABC605F675DC96CBF73ADAA94749B50483F7142A20E2EF7C9D49C65D
                                    Function 0040B8A4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8B1
                                    • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8DC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DeleteDirectoryFileRemove
                                    • String ID: pth_unenc$xdF
                                    • API String ID: 3325800564-2448381268
                                    • Opcode ID: d40ba35bdc574994431a00040681681ffd5cebc2bb5ef4fca25f9a910d4daf75
                                    • Instruction ID: ee660421d7ec44f6c6eaad5e9e1fc6482a22fb53094cf60c5c3e5a772ac54322
                                    • Opcode Fuzzy Hash: d40ba35bdc574994431a00040681681ffd5cebc2bb5ef4fca25f9a910d4daf75
                                    • Instruction Fuzzy Hash: 5AE04F314006109BC610BB218854AD6335CAB04316F00497BE4A3A35A1DF38AC49D658
                                    Function 0040B8E7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,h&y,004752F0,?,pth_unenc), ref: 0040B8F6
                                    • UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                    • TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: TerminateThread$HookUnhookWindows
                                    • String ID: pth_unenc
                                    • API String ID: 3123878439-4028850238
                                    • Opcode ID: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                    • Instruction ID: 372ac16de24f92ae7b862ff59389ff52a9cc8b3ac2037ffe6dc6d1e564519698
                                    • Opcode Fuzzy Hash: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                    • Instruction Fuzzy Hash: 71E01272204315EFD7201F909C888667AADEE1539632409BEF6C261BB6CB7D4C54C79D
                                    Function 0044A084 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __alldvrm$_strrchr
                                    • String ID:
                                    • API String ID: 1036877536-0
                                    • Opcode ID: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                    • Instruction ID: 8ce1af842cd152cb2b2428f5d584a25f6c9224aafe101b92c03b71ca88d34985
                                    • Opcode Fuzzy Hash: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                    • Instruction Fuzzy Hash: 87A156729846829FF721CF58C8817AEBBA5FF15314F2841AFE8859B381D27C8C51C75A
                                    Function 00442851 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                    • Instruction ID: b0a34e1ed6630e1fb57c9e62860a3601010315cd62f19612bff23542d182db60
                                    • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                    • Instruction Fuzzy Hash: 70412AB1600704BFE724AF79CD41B5EBBE8EB88714F10462FF145DB281E3B999058798
                                    Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                    • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00404DD2
                                    • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00404DDB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                    • String ID:
                                    • API String ID: 3360349984-0
                                    • Opcode ID: 9e0a8eaf4219b775e830663fcb54a959b6233ae16d1ef5de7dcca6256e783451
                                    • Instruction ID: 30d48123e17294c38ae6f490953f1b42a5ca81467cb0df1087f173bd09261e59
                                    • Opcode Fuzzy Hash: 9e0a8eaf4219b775e830663fcb54a959b6233ae16d1ef5de7dcca6256e783451
                                    • Instruction Fuzzy Hash: 684182B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                    Function 0040C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    • Cleared browsers logins and cookies., xrefs: 0040C130
                                    • [Cleared browsers logins and cookies.], xrefs: 0040C11F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep
                                    • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                    • API String ID: 3472027048-1236744412
                                    • Opcode ID: 0289ad399ee06c172ada9225b32ea6f8a1a1d489767f054ef65d2596f31f8a52
                                    • Instruction ID: 5a72b8a34604a64e244bad04561a930bad76f77e78bf22f3e088d6afb7384554
                                    • Opcode Fuzzy Hash: 0289ad399ee06c172ada9225b32ea6f8a1a1d489767f054ef65d2596f31f8a52
                                    • Instruction Fuzzy Hash: A431A805648381EDD6116BF514967AB7B824A53748F0882BFB8C4373C3DA7A4808C79F
                                    Function 0040A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0041C5E2: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C5F2
                                      • Part of subcall function 0041C5E2: GetWindowTextLengthW.USER32(00000000), ref: 0041C5FB
                                      • Part of subcall function 0041C5E2: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C625
                                    • Sleep.KERNEL32(000001F4), ref: 0040A5AE
                                    • Sleep.KERNEL32(00000064), ref: 0040A638
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Window$SleepText$ForegroundLength
                                    • String ID: [ $ ]
                                    • API String ID: 3309952895-93608704
                                    • Opcode ID: f02f1a0373de4d905e268f57495fa08b349ea431ac4d969b5d726f466b44a1dd
                                    • Instruction ID: 6255842b65d5da3793f092b3f1447ea5db7efb23f61c0c2d19f8aa6a86066f85
                                    • Opcode Fuzzy Hash: f02f1a0373de4d905e268f57495fa08b349ea431ac4d969b5d726f466b44a1dd
                                    • Instruction Fuzzy Hash: CB119F315143006BC614BB26CC579AF77A8AB90348F40083FF552661E3EF79AE18869B
                                    Function 0041B890 Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: SystemTimes$Sleep__aulldiv
                                    • String ID:
                                    • API String ID: 188215759-0
                                    • Opcode ID: 32d4930cb2be9b30136c829dd369e4a23351f3455ccfda4be26c85d87a7cef4d
                                    • Instruction ID: 634937a4cd8d43e921f59083ecd148feda9109121ee8127270144c35be039893
                                    • Opcode Fuzzy Hash: 32d4930cb2be9b30136c829dd369e4a23351f3455ccfda4be26c85d87a7cef4d
                                    • Instruction Fuzzy Hash: D01133B35043456BC304EAB5CD85DEF779CEBC4358F040A3EF64982061EE29E94986A6
                                    Function 00443AD3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                    • Instruction ID: 2af8e1c260e5220142bf0b5f8a7e988c949d9a3a1697e0ff4d6bcf25ce69da1b
                                    • Opcode Fuzzy Hash: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                    • Instruction Fuzzy Hash: 7E01F2B26093557EFA202E786CC2F67630DCB51FBAB31033BB520612D2DB68DD40452C
                                    Function 00443B52 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                    • Instruction ID: 437de9af4247593539f95cdbb70b1dc5411192884b5f12beac7b10196549b189
                                    • Opcode Fuzzy Hash: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                    • Instruction Fuzzy Hash: CB01ADB26096527ABA202E796CC5E27634CDB42BBA335037BF821512E3DF68DE054169
                                    Function 004485E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue), ref: 00448618
                                    • GetLastError.KERNEL32(?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367), ref: 00448624
                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000), ref: 00448632
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LibraryLoad$ErrorLast
                                    • String ID:
                                    • API String ID: 3177248105-0
                                    • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                    • Instruction ID: 239c22332ac31c5199b3ba4764290be2907fca328f5d1df1ca03bb1201a614b6
                                    • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                    • Instruction Fuzzy Hash: D401FC32602322EBDB618A78EC4495F7758AF15BA2B22093AF909D3241DF24DC01C6EC
                                    Function 0041C516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C543
                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041C568
                                    • CloseHandle.KERNEL32(00000000), ref: 0041C576
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseCreateHandleReadSize
                                    • String ID:
                                    • API String ID: 3919263394-0
                                    • Opcode ID: ea631e93aeae4d86132659a3c821e70bd950fb822780c369254ddbb306c6d1ec
                                    • Instruction ID: 4673af35f3eeaf13de89ae80f5e83caf65f56e40ae5cb47f4621101913e6d1ef
                                    • Opcode Fuzzy Hash: ea631e93aeae4d86132659a3c821e70bd950fb822780c369254ddbb306c6d1ec
                                    • Instruction Fuzzy Hash: 50F0C2B1241318BFE6101B25ADC9EBB369DDB866A9F10063EF802A22D1DA698D055139
                                    Function 004398E3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___BuildCatchObject.LIBVCRUNTIME ref: 004398FA
                                      • Part of subcall function 00439F32: ___AdjustPointer.LIBCMT ref: 00439F7C
                                    • _UnwindNestedFrames.LIBCMT ref: 00439911
                                    • ___FrameUnwindToState.LIBVCRUNTIME ref: 00439923
                                    • CallCatchBlock.LIBVCRUNTIME ref: 00439947
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                    • String ID:
                                    • API String ID: 2633735394-0
                                    • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                    • Instruction ID: 1eef882e9718bbd9a0ab38cd68ce054dbb3f9d4064fa539f417e17899f1f7293
                                    • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                    • Instruction Fuzzy Hash: 38010532000109BBCF125F56CC01EDA3BAAEF5C754F05901AF95865221C3BAE862ABA4
                                    Function 0041941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemMetrics.USER32(0000004C), ref: 0041942B
                                    • GetSystemMetrics.USER32(0000004D), ref: 00419431
                                    • GetSystemMetrics.USER32(0000004E), ref: 00419437
                                    • GetSystemMetrics.USER32(0000004F), ref: 0041943D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: MetricsSystem
                                    • String ID:
                                    • API String ID: 4116985748-0
                                    • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                    • Instruction ID: fd4820a3fb0c8fcfb80096478546269f04700e3de9cdf271d69d174aa35805c7
                                    • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                    • Instruction Fuzzy Hash: 3FF0A4B1B043155BD700EE758C51A6B6ADAEBD4364F10043FF60887281EFB8DC468B84
                                    Function 00438FB1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438FB1
                                    • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438FB6
                                    • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438FBB
                                      • Part of subcall function 0043A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A4CB
                                    • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438FD0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                    • String ID:
                                    • API String ID: 1761009282-0
                                    • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                    • Instruction ID: 3a6c9073cd349407f79861cc5a63413a30b4b1af88e8d748f4708d1390bfb410
                                    • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                    • Instruction Fuzzy Hash: 8DC04C44080381552C50B6B2110B2AF83521C7E38CF9074DFBDD1579474D5D052F553F
                                    Function 00442CAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                    Download Yara Rule
                                    APIs
                                    • __startOneArgErrorHandling.LIBCMT ref: 00442D3D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorHandling__start
                                    • String ID: pow
                                    • API String ID: 3213639722-2276729525
                                    • Opcode ID: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                    • Instruction ID: 2abd0c7c8e13d4a8cd2c8141c546921d868ac315c0d238e81b652aa6ec7fde8b
                                    • Opcode Fuzzy Hash: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                    • Instruction Fuzzy Hash: 92515AE1E0460296FB167714CE4137B6794AB50741F70497BF0D6823EAEA7C8C859B4F
                                    Function 004187AA Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMON
                                    Download Yara Rule
                                    APIs
                                    • GdiplusStartup.GDIPLUS(00474ACC,?,00000000,00000000), ref: 004187FA
                                      • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                      • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: GdiplusStartupconnectsend
                                    • String ID: ,aF$NG
                                    • API String ID: 1957403310-2168067942
                                    • Opcode ID: 3b2d0cff710a846f5920f95ca5260b3916bb2f9043a7c52255e9bcc64645f95c
                                    • Instruction ID: 646e85ae029ebb21aec6d49858a727e037fa7bb3a6359959f193cd142bf324ca
                                    • Opcode Fuzzy Hash: 3b2d0cff710a846f5920f95ca5260b3916bb2f9043a7c52255e9bcc64645f95c
                                    • Instruction Fuzzy Hash: 8E41D4713042015BC208FB22D892ABF7396ABC0358F50493FF54A672D2EF7C5D4A869E
                                    Function 00418ACD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                    Download Yara Rule
                                    APIs
                                    • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418AF9
                                      • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                    • SHCreateMemStream.SHLWAPI(00000000), ref: 00418B46
                                      • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                      • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                    • String ID: image/jpeg
                                    • API String ID: 1291196975-3785015651
                                    • Opcode ID: 1a6cd23bb326207906ee55eab088e22a045b333238033622bcf03b289c973c7d
                                    • Instruction ID: 4d0b5c8bb5c89928ccad9adfa1773eea8e0f3015d74a4b244142dc53e7d0f70c
                                    • Opcode Fuzzy Hash: 1a6cd23bb326207906ee55eab088e22a045b333238033622bcf03b289c973c7d
                                    • Instruction Fuzzy Hash: B5316D71604300AFC301EF65C884DAFBBE9EF8A304F00496EF985A7251DB7999048BA6
                                    Function 00451BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetACP.KERNEL32(?,20001004,?,00000002), ref: 00451C92
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: ACP$OCP
                                    • API String ID: 0-711371036
                                    • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                    • Instruction ID: 09b953eaa346ea86c897215e5a2a15a508f8bcb16f9b984b1dadcb699cf7d301
                                    • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                    • Instruction Fuzzy Hash: E821D862A80204A6DB36CF14C941BAB7266DB54B13F568426ED0AD7322F73BED45C35C
                                    Function 00418BCA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                    Download Yara Rule
                                    APIs
                                    • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418BE5
                                      • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                    • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00418C0A
                                      • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                      • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                    • String ID: image/png
                                    • API String ID: 1291196975-2966254431
                                    • Opcode ID: c053decb124affeca1ca8e7c910363171ca68cdd065e9a4048a61e85df625b55
                                    • Instruction ID: 3c300d9a249dbea914adbc87700f03e6b767f6cab6163cd9bde1f728fb98d86d
                                    • Opcode Fuzzy Hash: c053decb124affeca1ca8e7c910363171ca68cdd065e9a4048a61e85df625b55
                                    • Instruction Fuzzy Hash: ED219071204211AFC701AB61CC88CBFBBACEFCA754F10052EF54693261DB399955CBA6
                                    Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405030
                                      • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                    • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405087
                                    Strings
                                    • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LocalTime
                                    • String ID: KeepAlive | Enabled | Timeout:
                                    • API String ID: 481472006-1507639952
                                    • Opcode ID: 88bc6abef2036a94c41ea4afde5572064ad21bcafcbd622e37c2bb368cee5363
                                    • Instruction ID: e3b05ee6596aa2f5bef7afedc99ae4e94a3de8d8e2082a6dce2ef35069f0368d
                                    • Opcode Fuzzy Hash: 88bc6abef2036a94c41ea4afde5572064ad21bcafcbd622e37c2bb368cee5363
                                    • Instruction Fuzzy Hash: 8D2104719107806BD700B736980A76F7B64E751308F44097EE8491B2E2EB7D5A88CBEF
                                    Function 00416676 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNEL32 ref: 0041667B
                                    • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166DD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DownloadFileSleep
                                    • String ID: !D@
                                    • API String ID: 1931167962-604454484
                                    • Opcode ID: 05864501e3066f261fa3773e90e58814017deb9033068c5665e3f6f63e0eedc9
                                    • Instruction ID: 05e88009b36717a37a8ab5ea381c0ce1ab0270976c353b8abb87c8adb32aa340
                                    • Opcode Fuzzy Hash: 05864501e3066f261fa3773e90e58814017deb9033068c5665e3f6f63e0eedc9
                                    • Instruction Fuzzy Hash: F21142716083029AC614FF72D8969AE77A4AF50348F400C7FF546531E2EE3C9949C65A
                                    Function 0041B580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LocalTime
                                    • String ID: | $%02i:%02i:%02i:%03i
                                    • API String ID: 481472006-2430845779
                                    • Opcode ID: 52f1b42f153ed4b644b91f11fc4c23a59010ae0a013f6087acbd7f2f1f111652
                                    • Instruction ID: 036da7e0cd4114b6fa9428aab3af546923e8b827a5fb64715830670d2b1b9b5a
                                    • Opcode Fuzzy Hash: 52f1b42f153ed4b644b91f11fc4c23a59010ae0a013f6087acbd7f2f1f111652
                                    • Instruction Fuzzy Hash: 091190714082455AC304FB62D8519FFB3E9AB84348F50093FF88AA21E1EF3CDA45C69E
                                    Function 0041ADA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                    Download Yara Rule
                                    APIs
                                    • PathFileExistsW.SHLWAPI(00000000), ref: 0041ADCD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID: alarm.wav$hYG
                                    • API String ID: 1174141254-2782910960
                                    • Opcode ID: 7f74c5974817e7ba13f1ccd263a025762fd74d89f9f55a83648a59f77019ac27
                                    • Instruction ID: 4122455f09fb97d0238bc6f6df8f07100adf7eded08faacdf9dae369850c3b42
                                    • Opcode Fuzzy Hash: 7f74c5974817e7ba13f1ccd263a025762fd74d89f9f55a83648a59f77019ac27
                                    • Instruction Fuzzy Hash: 6401B57078831156CA04F77688166EE77959B80718F00847FF64A162E2EFBC9E59C6CF
                                    Function 0040B08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                      • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                      • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                    • CloseHandle.KERNEL32(?), ref: 0040B0EF
                                    • UnhookWindowsHookEx.USER32 ref: 0040B102
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                    • String ID: Online Keylogger Stopped
                                    • API String ID: 1623830855-1496645233
                                    • Opcode ID: 539f72ab5f86f5c342155b2b16da774537cba30e5d1a0a8ca2b311f7dcb13205
                                    • Instruction ID: 2c7fc3a8f12b1f8c565497f75251163d8124a4eac963031352a4caf2a1bdec21
                                    • Opcode Fuzzy Hash: 539f72ab5f86f5c342155b2b16da774537cba30e5d1a0a8ca2b311f7dcb13205
                                    • Instruction Fuzzy Hash: 6F01F530600610ABD7217B35C81B7BE7B729B41304F4004BFE982265C2EBB91856C7DE
                                    Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                    Download Yara Rule
                                    APIs
                                    • waveInPrepareHeader.WINMM(0079DC40,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                                    • waveInAddBuffer.WINMM(0079DC40,00000020,?,00000000,00401A15), ref: 0040185F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: wave$BufferHeaderPrepare
                                    • String ID: XMG
                                    • API String ID: 2315374483-813777761
                                    • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                    • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                    • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                    • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                    Function 0044382C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID: $G
                                    • API String ID: 269201875-4251033865
                                    • Opcode ID: 0435164efccf50aa8117c2daa51ec46fe1437c867187ee89b2aa6ea167946eb6
                                    • Instruction ID: 4a6f060c21597e0392f33703011e6e0157da39883ddad7ec559e06d861eb6f1f
                                    • Opcode Fuzzy Hash: 0435164efccf50aa8117c2daa51ec46fe1437c867187ee89b2aa6ea167946eb6
                                    • Instruction Fuzzy Hash: 64E0E532A0152014F6713A3B6D1665B45C68BC1B3AF22423FF425962C2DFAC8946516E
                                    Function 00448B66 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsValidLocale.KERNEL32(00000000,kKD,00000000,00000001,?,?,00444B6B,?,?,?,?,00000004), ref: 00448BB2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LocaleValid
                                    • String ID: IsValidLocaleName$kKD
                                    • API String ID: 1901932003-3269126172
                                    • Opcode ID: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                    • Instruction ID: c774fcfd7954269485cc3e12fd2bed3330e0a6a7af379781e67d062e13931268
                                    • Opcode Fuzzy Hash: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                    • Instruction Fuzzy Hash: 9BF05230A80708FBDB016B60DC06FAE7B54CB44B12F10007EFD046B291DE799E0091ED
                                    Function 0040C4FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                    Download Yara Rule
                                    APIs
                                    • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                    • API String ID: 1174141254-4188645398
                                    • Opcode ID: 67a37633ad4a3934eb7a9710067efd7b2c9a9b469ed032209e18e61634ff2717
                                    • Instruction ID: 9b0ec594f197676e752fca63164bf20e3c748e9c9f1ad615e42e10c79405690b
                                    • Opcode Fuzzy Hash: 67a37633ad4a3934eb7a9710067efd7b2c9a9b469ed032209e18e61634ff2717
                                    • Instruction Fuzzy Hash: FEF05E30A00219A6CA04BBB69C478AF7B289910759B40017FBA01B21D3EE78994586DD
                                    Function 0040C561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                    Download Yara Rule
                                    APIs
                                    • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                    • API String ID: 1174141254-2800177040
                                    • Opcode ID: 7414731bf553168197ebf71208b97339720711320eac3921dee6b082f9eb1638
                                    • Instruction ID: ebfb9b6c20c42028ef61fa2b9513503d2b9bf0243ac81fc6585c9643e3935da3
                                    • Opcode Fuzzy Hash: 7414731bf553168197ebf71208b97339720711320eac3921dee6b082f9eb1638
                                    • Instruction Fuzzy Hash: F1F05E70A0021AE6CA04BBB69C478EF7B2C9910755B40017BBA01721D3FE7CA94586ED
                                    Function 0040C5C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                    Download Yara Rule
                                    APIs
                                    • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5F7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID: AppData$\Opera Software\Opera Stable\
                                    • API String ID: 1174141254-1629609700
                                    • Opcode ID: 8000172e7e681251177a335894fd2e2a37e3823944c94c6a399ddcaad00f7658
                                    • Instruction ID: 695210f55460e2722832162fecb8267ed9c5d90cd61684e29202a639a57ef244
                                    • Opcode Fuzzy Hash: 8000172e7e681251177a335894fd2e2a37e3823944c94c6a399ddcaad00f7658
                                    • Instruction Fuzzy Hash: 38F05E30A00219D6CA14BBB69C478EF7B2C9950755F1005BBBA01B21D3EE789941C6ED
                                    Function 00443885 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID: $G
                                    • API String ID: 269201875-4251033865
                                    • Opcode ID: c3cbfa58486471b9b0b5450975d814376b4bfcef5d9edc52bbd6be3dc13577df
                                    • Instruction ID: 5d396c1abc39b18bdc3e623667384c8b5cce6391ee106473ff554fc58991571d
                                    • Opcode Fuzzy Hash: c3cbfa58486471b9b0b5450975d814376b4bfcef5d9edc52bbd6be3dc13577df
                                    • Instruction Fuzzy Hash: 7CE0E532A0652041F675763B2D05A5B47C55FC2B3AF22033BF028861C1DFEC494A606E
                                    Function 0040B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyState.USER32(00000011), ref: 0040B686
                                      • Part of subcall function 0040A41B: GetForegroundWindow.USER32(?,?,004750F0), ref: 0040A451
                                      • Part of subcall function 0040A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                      • Part of subcall function 0040A41B: GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                      • Part of subcall function 0040A41B: GetKeyState.USER32(00000010), ref: 0040A46E
                                      • Part of subcall function 0040A41B: GetKeyboardState.USER32(?,?,004750F0), ref: 0040A479
                                      • Part of subcall function 0040A41B: ToUnicodeEx.USER32(00475144,00000000,?,?,00000010,00000000,00000000), ref: 0040A49C
                                      • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                      • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                    • String ID: [AltL]$[AltR]
                                    • API String ID: 2738857842-2658077756
                                    • Opcode ID: 0f70a0069a612ae1fb5ede6b6ff70f96726a9fd1eec0d97551c5347f5f324e5e
                                    • Instruction ID: d407634c764e35d79823ffb94670adf82ecea3c262ef0a09b09082b5b6a355d5
                                    • Opcode Fuzzy Hash: 0f70a0069a612ae1fb5ede6b6ff70f96726a9fd1eec0d97551c5347f5f324e5e
                                    • Instruction Fuzzy Hash: B2E0652171032052C859363D592FABE2D11CB41B64B42097FF842AB7D6DABF4D5543CF
                                    Function 004161C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                    Download Yara Rule
                                    APIs
                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161E3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExecuteShell
                                    • String ID: !D@$open
                                    • API String ID: 587946157-1586967515
                                    • Opcode ID: eb4567e96d42521689c96e83ef1aa2a6a7df05ac31277aa5078135f6cb8d6bca
                                    • Instruction ID: 3b2857edeaddefe186f4a0a52e989bb70d7a4cfa1db765b6d796ce97600c5b03
                                    • Opcode Fuzzy Hash: eb4567e96d42521689c96e83ef1aa2a6a7df05ac31277aa5078135f6cb8d6bca
                                    • Instruction Fuzzy Hash: 4AE012712483059AD214EA72DC92EFEB35CAB54755F404C3FF506524E2EF3C5C49C66A
                                    Function 0040B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyState.USER32(00000012), ref: 0040B6E0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: State
                                    • String ID: [CtrlL]$[CtrlR]
                                    • API String ID: 1649606143-2446555240
                                    • Opcode ID: 1d2d80fd5b8c20147d0c6ff4d402c2e3edc42c22dff79285f987829e6048126c
                                    • Instruction ID: b338140f060b4cc34328e336f8905ed3f99262ec5dadafe534bff25dd27afc5e
                                    • Opcode Fuzzy Hash: 1d2d80fd5b8c20147d0c6ff4d402c2e3edc42c22dff79285f987829e6048126c
                                    • Instruction Fuzzy Hash: CFE04F2160072052C5243A7D561A67A2911C7C2764F41057BE9826B7C6DABE891452DF
                                    Function 0040E7DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                    • __Init_thread_footer.LIBCMT ref: 00410F64
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Init_thread_footer__onexit
                                    • String ID: ,kG$0kG
                                    • API String ID: 1881088180-2015055088
                                    • Opcode ID: bf6eaf7ad603c651630b5b847c32adb66bdf614d62153d48efbad85f1494e607
                                    • Instruction ID: 52a075922dd803dc3791164d579436726ad124eb3de8ddc986de269a183bf650
                                    • Opcode Fuzzy Hash: bf6eaf7ad603c651630b5b847c32adb66bdf614d62153d48efbad85f1494e607
                                    • Instruction Fuzzy Hash: A8E0D8315149208EC514B729E542AC53395DB0E324B21907BF014D72D2CBAE78C28E5D
                                    Function 00413A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D17F,00000000,h&y,004752F0,?,pth_unenc), ref: 00413A6C
                                    • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00413A80
                                    Strings
                                    • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A6A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: DeleteOpenValue
                                    • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                    • API String ID: 2654517830-1051519024
                                    • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                    • Instruction ID: 8a242acd51d06e7ce72e997358fe7bb9804e2c240f13b939b69747d851efcbee
                                    • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                    • Instruction Fuzzy Hash: FFE0C231244208FBEF104FB1DD06FFA7B2CDB01F42F1006A9BA0692192C626CE049664
                                    Function 0041288B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                    • WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ObjectProcessSingleTerminateWait
                                    • String ID: pth_unenc
                                    • API String ID: 1872346434-4028850238
                                    • Opcode ID: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                                    • Instruction ID: 30425768eaae71e8f6d4d073063fb5581f05561c6d480f36d281b696a9d2b878
                                    • Opcode Fuzzy Hash: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                                    • Instruction Fuzzy Hash: DBD01234149312FFD7310F60EE4DB443B589705362F140361F439552F1C7A589D4AB58
                                    Function 00440CE1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D77
                                    • GetLastError.KERNEL32 ref: 00440D85
                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440DE0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharMultiWide$ErrorLast
                                    • String ID:
                                    • API String ID: 1717984340-0
                                    • Opcode ID: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                    • Instruction ID: 51be13377619d21db21fabe69686c0ed70cae26876ac5a8e773c252addda8789
                                    • Opcode Fuzzy Hash: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                    • Instruction Fuzzy Hash: 2D412670A00212AFEF218FA5C8447BBBBA4EF41310F2045AAFA59573E1DB399C31C759
                                    Function 00411B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411BC7
                                    • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411C93
                                    • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411CB5
                                    • SetLastError.KERNEL32(0000007E,00411F2B), ref: 00411CCC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.4138733574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000000.00000002.4138721891.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138803518.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138820858.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.4138883323.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_400000_17273431863ab7a79d0c4618c39383a44188eff7849fa1201010774aef83d8c896a4db.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLastRead
                                    • String ID:
                                    • API String ID: 4100373531-0
                                    • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                    • Instruction ID: 65e884089caabfe283b2879acbb60db065d5dd9ad58be7743d127bf22715a70c
                                    • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                    • Instruction Fuzzy Hash: 60419D716443059FEB248F19DC84BA7B3E4FF44714F00082EEA4A876A1F738E845CB99