Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe

Overview

General Information

Sample name:1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe
Analysis ID:1527170
MD5:1a3fee38ced030e1751a309616c39202
SHA1:22225d38e12119d28ad800eab10a9e80d64decb4
SHA256:5c98933333dba1be4be8e673353fe8f433de2d21ea955591db12e6ec178a8598
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Machine Learning detection for sample
Uses dynamic DNS services
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "michelsrmccontrol.duckdns.org:14645:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-PXKO50", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
      1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6aab8:$a1: Remcos restarted by watchdog!
        • 0x6b030:$a3: %02i:%02i:%02i:%03i
        1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeREMCOS_RAT_variantsunknownunknown
        • 0x64b0c:$str_a1: C:\Windows\System32\cmd.exe
        • 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x64b7c:$str_b2: Executing file:
        • 0x65bfc:$str_b3: GetDirectListeningPort
        • 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x65728:$str_b7: \update.vbs
        • 0x64ba4:$str_b9: Downloaded file:
        • 0x64b90:$str_b10: Downloading file:
        • 0x64c34:$str_b12: Failed to upload file:
        • 0x65bc4:$str_b13: StartForward
        • 0x65be4:$str_b14: StopForward
        • 0x65680:$str_b15: fso.DeleteFile "
        • 0x65614:$str_b16: On Error Resume Next
        • 0x656b0:$str_b17: fso.DeleteFolder "
        • 0x64c24:$str_b18: Uploaded file:
        • 0x64be4:$str_b19: Unable to delete:
        • 0x65648:$str_b20: while fso.FileExists("
        • 0x650c1:$str_c0: [Firefox StoredLogins not found]
        Click to see the 1 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x134b8:$a1: Remcos restarted by watchdog!
              • 0x13a30:$a3: %02i:%02i:%02i:%03i
              00000001.00000000.1315853761.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                Click to see the 8 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                1.0.1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                  1.0.1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                    1.0.1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                      1.0.1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                      • 0x6aab8:$a1: Remcos restarted by watchdog!
                      • 0x6b030:$a3: %02i:%02i:%02i:%03i
                      1.0.1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                      • 0x64b0c:$str_a1: C:\Windows\System32\cmd.exe
                      • 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                      • 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                      • 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                      • 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                      • 0x64b7c:$str_b2: Executing file:
                      • 0x65bfc:$str_b3: GetDirectListeningPort
                      • 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                      • 0x65728:$str_b7: \update.vbs
                      • 0x64ba4:$str_b9: Downloaded file:
                      • 0x64b90:$str_b10: Downloading file:
                      • 0x64c34:$str_b12: Failed to upload file:
                      • 0x65bc4:$str_b13: StartForward
                      • 0x65be4:$str_b14: StopForward
                      • 0x65680:$str_b15: fso.DeleteFile "
                      • 0x65614:$str_b16: On Error Resume Next
                      • 0x656b0:$str_b17: fso.DeleteFolder "
                      • 0x64c24:$str_b18: Uploaded file:
                      • 0x64be4:$str_b19: Unable to delete:
                      • 0x65648:$str_b20: while fso.FileExists("
                      • 0x650c1:$str_c0: [Firefox StoredLogins not found]
                      Click to see the 7 entries

                      Sigma Signatures

                      Stealing of Sensitive Information

                      barindex
                      Sigma detected: Remcos
                      Source: Registry Key setAuthor: Joe Security: Data: Details: 15 4A 30 7C AC 55 CB 7F 26 C3 CF 33 8A 63 8D 0F E0 50 89 83 4F 6E BE F3 BF AF 12 60 C8 D5 48 46 53 7F BC 8D 64 01 76 C2 ED 62 2E FB DF 85 09 DE F4 9E 85 D8 EF 10 B1 C2 6C AC 6E 3F A7 6C 32 BB FF F0 20 60 13 D4 7D 1D C7 D1 B1 5D D4 AD AB 4F 98 82 44 0A 72 5A 9E 00 AD 08 64 7A 5E 3F 17 93 86 6E B3 AF 2F 16 17 97 CC 05 7C E2 AE 94 9F F6 D9 F1 ED B2 33 0D CC 05 D5 93 AB 25 CC 5B ED 25 93 22 2E 0F D5 07 C4 10 FB CF 8E D0 A8 5C 06 1E 8F 69 82 27 B5 C8 F8 4E D9 DB 7C BE 5B 97 92 EE 90 94 09 D5 A2 74 CF 5A 96 BD F2 AC BE 54 74 5F D2 8A E2 8A D6 DB 6B E3 F3 8C 25 E6 47 A3 F0 24 3A 16 D2 F0 9C 1E BC B1 0D 2F 94 6C 3F EC BB 6A 0D 63 28 65 AC 3E 0B AC 68 A1 1E 18 3D 78 53 79 81 89 7C DA FB 13 24 C8 D9 66 29 79 8A 11 FF D9 DD CE , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe, ProcessId: 7512, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-PXKO50\exepath

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-06T21:17:45.007376+020020365941Malware Command and Control Activity Detected192.168.2.749699107.175.130.2014645TCP
                      2024-10-06T21:17:47.780062+020020365941Malware Command and Control Activity Detected192.168.2.749701107.175.130.2014645TCP
                      2024-10-06T21:17:50.224730+020020365941Malware Command and Control Activity Detected192.168.2.749713107.175.130.2014645TCP
                      2024-10-06T21:17:52.688021+020020365941Malware Command and Control Activity Detected192.168.2.749732107.175.130.2014645TCP
                      2024-10-06T21:17:55.126833+020020365941Malware Command and Control Activity Detected192.168.2.749748107.175.130.2014645TCP
                      2024-10-06T21:17:57.570628+020020365941Malware Command and Control Activity Detected192.168.2.749764107.175.130.2014645TCP
                      2024-10-06T21:18:00.003971+020020365941Malware Command and Control Activity Detected192.168.2.749781107.175.130.2014645TCP
                      2024-10-06T21:18:02.459457+020020365941Malware Command and Control Activity Detected192.168.2.749801107.175.130.2014645TCP
                      2024-10-06T21:18:04.881275+020020365941Malware Command and Control Activity Detected192.168.2.749817107.175.130.2014645TCP
                      2024-10-06T21:18:07.346600+020020365941Malware Command and Control Activity Detected192.168.2.749833107.175.130.2014645TCP
                      2024-10-06T21:18:09.762635+020020365941Malware Command and Control Activity Detected192.168.2.749849107.175.130.2014645TCP
                      2024-10-06T21:18:12.188031+020020365941Malware Command and Control Activity Detected192.168.2.749865107.175.130.2014645TCP
                      2024-10-06T21:18:14.637642+020020365941Malware Command and Control Activity Detected192.168.2.749881107.175.130.2014645TCP
                      2024-10-06T21:18:17.054052+020020365941Malware Command and Control Activity Detected192.168.2.749898107.175.130.2014645TCP
                      2024-10-06T21:18:19.485301+020020365941Malware Command and Control Activity Detected192.168.2.749917107.175.130.2014645TCP
                      2024-10-06T21:18:21.965525+020020365941Malware Command and Control Activity Detected192.168.2.749931107.175.130.2014645TCP
                      2024-10-06T21:18:24.405170+020020365941Malware Command and Control Activity Detected192.168.2.749948107.175.130.2014645TCP
                      2024-10-06T21:18:26.843456+020020365941Malware Command and Control Activity Detected192.168.2.749965107.175.130.2014645TCP
                      2024-10-06T21:18:29.379636+020020365941Malware Command and Control Activity Detected192.168.2.749984107.175.130.2014645TCP
                      2024-10-06T21:18:31.817752+020020365941Malware Command and Control Activity Detected192.168.2.749989107.175.130.2014645TCP
                      2024-10-06T21:18:34.282874+020020365941Malware Command and Control Activity Detected192.168.2.749990107.175.130.2014645TCP
                      2024-10-06T21:18:37.192861+020020365941Malware Command and Control Activity Detected192.168.2.749991107.175.130.2014645TCP
                      2024-10-06T21:18:39.677719+020020365941Malware Command and Control Activity Detected192.168.2.749992107.175.130.2014645TCP
                      2024-10-06T21:18:42.127026+020020365941Malware Command and Control Activity Detected192.168.2.749995107.175.130.2014645TCP
                      2024-10-06T21:18:44.757429+020020365941Malware Command and Control Activity Detected192.168.2.749997107.175.130.2014645TCP
                      2024-10-06T21:18:47.173025+020020365941Malware Command and Control Activity Detected192.168.2.749998107.175.130.2014645TCP
                      2024-10-06T21:18:49.594937+020020365941Malware Command and Control Activity Detected192.168.2.749999107.175.130.2014645TCP
                      2024-10-06T21:18:52.015982+020020365941Malware Command and Control Activity Detected192.168.2.750000107.175.130.2014645TCP
                      2024-10-06T21:18:54.477716+020020365941Malware Command and Control Activity Detected192.168.2.750001107.175.130.2014645TCP
                      2024-10-06T21:18:56.937129+020020365941Malware Command and Control Activity Detected192.168.2.750002107.175.130.2014645TCP
                      2024-10-06T21:18:59.374546+020020365941Malware Command and Control Activity Detected192.168.2.750003107.175.130.2014645TCP
                      2024-10-06T21:19:01.782855+020020365941Malware Command and Control Activity Detected192.168.2.750004107.175.130.2014645TCP
                      2024-10-06T21:19:04.222174+020020365941Malware Command and Control Activity Detected192.168.2.750005107.175.130.2014645TCP
                      2024-10-06T21:19:06.608860+020020365941Malware Command and Control Activity Detected192.168.2.750006107.175.130.2014645TCP
                      2024-10-06T21:19:08.992000+020020365941Malware Command and Control Activity Detected192.168.2.750007107.175.130.2014645TCP
                      2024-10-06T21:19:11.365002+020020365941Malware Command and Control Activity Detected192.168.2.750008107.175.130.2014645TCP
                      2024-10-06T21:19:13.662537+020020365941Malware Command and Control Activity Detected192.168.2.750009107.175.130.2014645TCP
                      2024-10-06T21:19:15.956423+020020365941Malware Command and Control Activity Detected192.168.2.750010107.175.130.2014645TCP
                      2024-10-06T21:19:18.204492+020020365941Malware Command and Control Activity Detected192.168.2.750011107.175.130.2014645TCP
                      2024-10-06T21:19:20.404581+020020365941Malware Command and Control Activity Detected192.168.2.750012107.175.130.2014645TCP
                      2024-10-06T21:19:22.616980+020020365941Malware Command and Control Activity Detected192.168.2.750013107.175.130.2014645TCP
                      2024-10-06T21:19:24.784533+020020365941Malware Command and Control Activity Detected192.168.2.750014107.175.130.2014645TCP
                      2024-10-06T21:19:26.928487+020020365941Malware Command and Control Activity Detected192.168.2.750015107.175.130.2014645TCP
                      2024-10-06T21:19:29.048435+020020365941Malware Command and Control Activity Detected192.168.2.750016107.175.130.2014645TCP
                      2024-10-06T21:19:31.155197+020020365941Malware Command and Control Activity Detected192.168.2.750017107.175.130.2014645TCP
                      2024-10-06T21:19:33.233021+020020365941Malware Command and Control Activity Detected192.168.2.750018107.175.130.2014645TCP
                      2024-10-06T21:19:35.263496+020020365941Malware Command and Control Activity Detected192.168.2.750019107.175.130.2014645TCP
                      2024-10-06T21:19:37.347556+020020365941Malware Command and Control Activity Detected192.168.2.750020107.175.130.2014645TCP
                      2024-10-06T21:19:39.380465+020020365941Malware Command and Control Activity Detected192.168.2.750021107.175.130.2014645TCP
                      2024-10-06T21:19:41.377416+020020365941Malware Command and Control Activity Detected192.168.2.750022107.175.130.2014645TCP
                      2024-10-06T21:19:43.348073+020020365941Malware Command and Control Activity Detected192.168.2.750023107.175.130.2014645TCP
                      2024-10-06T21:19:45.602631+020020365941Malware Command and Control Activity Detected192.168.2.750024107.175.130.2014645TCP
                      2024-10-06T21:19:47.534513+020020365941Malware Command and Control Activity Detected192.168.2.750025107.175.130.2014645TCP
                      2024-10-06T21:19:49.457995+020020365941Malware Command and Control Activity Detected192.168.2.750026107.175.130.2014645TCP
                      2024-10-06T21:19:51.361989+020020365941Malware Command and Control Activity Detected192.168.2.750027107.175.130.2014645TCP
                      2024-10-06T21:19:53.275823+020020365941Malware Command and Control Activity Detected192.168.2.750028107.175.130.2014645TCP
                      2024-10-06T21:19:55.127706+020020365941Malware Command and Control Activity Detected192.168.2.750029107.175.130.2014645TCP
                      2024-10-06T21:19:57.078774+020020365941Malware Command and Control Activity Detected192.168.2.750030107.175.130.2014645TCP
                      2024-10-06T21:19:58.908399+020020365941Malware Command and Control Activity Detected192.168.2.750031107.175.130.2014645TCP
                      2024-10-06T21:20:00.982899+020020365941Malware Command and Control Activity Detected192.168.2.750032107.175.130.2014645TCP
                      2024-10-06T21:20:02.780030+020020365941Malware Command and Control Activity Detected192.168.2.750033107.175.130.2014645TCP
                      2024-10-06T21:20:04.586365+020020365941Malware Command and Control Activity Detected192.168.2.750034107.175.130.2014645TCP
                      2024-10-06T21:20:06.380480+020020365941Malware Command and Control Activity Detected192.168.2.750035107.175.130.2014645TCP
                      2024-10-06T21:20:08.172481+020020365941Malware Command and Control Activity Detected192.168.2.750036107.175.130.2014645TCP
                      2024-10-06T21:20:09.944588+020020365941Malware Command and Control Activity Detected192.168.2.750037107.175.130.2014645TCP
                      2024-10-06T21:20:11.708205+020020365941Malware Command and Control Activity Detected192.168.2.750038107.175.130.2014645TCP
                      2024-10-06T21:20:13.492801+020020365941Malware Command and Control Activity Detected192.168.2.750039107.175.130.2014645TCP
                      2024-10-06T21:20:15.274478+020020365941Malware Command and Control Activity Detected192.168.2.750040107.175.130.2014645TCP
                      2024-10-06T21:20:16.989092+020020365941Malware Command and Control Activity Detected192.168.2.750041107.175.130.2014645TCP
                      2024-10-06T21:20:18.713468+020020365941Malware Command and Control Activity Detected192.168.2.750042107.175.130.2014645TCP
                      2024-10-06T21:20:20.432034+020020365941Malware Command and Control Activity Detected192.168.2.750043107.175.130.2014645TCP
                      2024-10-06T21:20:22.128506+020020365941Malware Command and Control Activity Detected192.168.2.750044107.175.130.2014645TCP
                      2024-10-06T21:20:23.819577+020020365941Malware Command and Control Activity Detected192.168.2.750045107.175.130.2014645TCP
                      2024-10-06T21:20:25.499127+020020365941Malware Command and Control Activity Detected192.168.2.750046107.175.130.2014645TCP
                      2024-10-06T21:20:27.245569+020020365941Malware Command and Control Activity Detected192.168.2.750047107.175.130.2014645TCP
                      2024-10-06T21:20:29.442632+020020365941Malware Command and Control Activity Detected192.168.2.750048107.175.130.2014645TCP
                      2024-10-06T21:20:31.100993+020020365941Malware Command and Control Activity Detected192.168.2.750049107.175.130.2014645TCP
                      2024-10-06T21:20:32.738529+020020365941Malware Command and Control Activity Detected192.168.2.750050107.175.130.2014645TCP
                      2024-10-06T21:20:34.400587+020020365941Malware Command and Control Activity Detected192.168.2.750051107.175.130.2014645TCP
                      2024-10-06T21:20:36.055488+020020365941Malware Command and Control Activity Detected192.168.2.750052107.175.130.2014645TCP
                      2024-10-06T21:20:37.712543+020020365941Malware Command and Control Activity Detected192.168.2.750053107.175.130.2014645TCP
                      2024-10-06T21:20:39.331772+020020365941Malware Command and Control Activity Detected192.168.2.750054107.175.130.2014645TCP
                      2024-10-06T21:20:40.937975+020020365941Malware Command and Control Activity Detected192.168.2.750055107.175.130.2014645TCP
                      2024-10-06T21:20:42.552247+020020365941Malware Command and Control Activity Detected192.168.2.750056107.175.130.2014645TCP
                      2024-10-06T21:20:44.142188+020020365941Malware Command and Control Activity Detected192.168.2.750057107.175.130.2014645TCP
                      2024-10-06T21:20:45.846778+020020365941Malware Command and Control Activity Detected192.168.2.750058107.175.130.2014645TCP
                      2024-10-06T21:20:47.421636+020020365941Malware Command and Control Activity Detected192.168.2.750059107.175.130.2014645TCP
                      2024-10-06T21:20:49.018830+020020365941Malware Command and Control Activity Detected192.168.2.750060107.175.130.2014645TCP
                      2024-10-06T21:20:50.581656+020020365941Malware Command and Control Activity Detected192.168.2.750061107.175.130.2014645TCP
                      2024-10-06T21:20:52.159544+020020365941Malware Command and Control Activity Detected192.168.2.750062107.175.130.2014645TCP
                      2024-10-06T21:20:53.743496+020020365941Malware Command and Control Activity Detected192.168.2.750063107.175.130.2014645TCP
                      2024-10-06T21:20:55.339574+020020365941Malware Command and Control Activity Detected192.168.2.750064107.175.130.2014645TCP
                      2024-10-06T21:20:56.924940+020020365941Malware Command and Control Activity Detected192.168.2.750065107.175.130.2014645TCP
                      2024-10-06T21:20:58.487795+020020365941Malware Command and Control Activity Detected192.168.2.750066107.175.130.2014645TCP
                      2024-10-06T21:21:00.054365+020020365941Malware Command and Control Activity Detected192.168.2.750067107.175.130.2014645TCP
                      2024-10-06T21:21:01.595285+020020365941Malware Command and Control Activity Detected192.168.2.750068107.175.130.2014645TCP
                      2024-10-06T21:21:03.175735+020020365941Malware Command and Control Activity Detected192.168.2.750069107.175.130.2014645TCP
                      2024-10-06T21:21:04.876288+020020365941Malware Command and Control Activity Detected192.168.2.750070107.175.130.2014645TCP
                      2024-10-06T21:21:06.443534+020020365941Malware Command and Control Activity Detected192.168.2.750071107.175.130.2014645TCP
                      2024-10-06T21:21:07.954602+020020365941Malware Command and Control Activity Detected192.168.2.750072107.175.130.2014645TCP
                      2024-10-06T21:21:09.468570+020020365941Malware Command and Control Activity Detected192.168.2.750073107.175.130.2014645TCP
                      2024-10-06T21:21:11.025627+020020365941Malware Command and Control Activity Detected192.168.2.750074107.175.130.2014645TCP
                      2024-10-06T21:21:12.536555+020020365941Malware Command and Control Activity Detected192.168.2.750075107.175.130.2014645TCP
                      2024-10-06T21:21:14.098755+020020365941Malware Command and Control Activity Detected192.168.2.750076107.175.130.2014645TCP
                      2024-10-06T21:21:15.618649+020020365941Malware Command and Control Activity Detected192.168.2.750077107.175.130.2014645TCP
                      2024-10-06T21:21:17.136621+020020365941Malware Command and Control Activity Detected192.168.2.750078107.175.130.2014645TCP
                      2024-10-06T21:21:18.801222+020020365941Malware Command and Control Activity Detected192.168.2.750079107.175.130.2014645TCP
                      2024-10-06T21:21:20.318614+020020365941Malware Command and Control Activity Detected192.168.2.750080107.175.130.2014645TCP
                      2024-10-06T21:21:21.816565+020020365941Malware Command and Control Activity Detected192.168.2.750081107.175.130.2014645TCP
                      2024-10-06T21:21:23.332199+020020365941Malware Command and Control Activity Detected192.168.2.750082107.175.130.2014645TCP
                      2024-10-06T21:21:24.816785+020020365941Malware Command and Control Activity Detected192.168.2.750083107.175.130.2014645TCP
                      2024-10-06T21:21:26.488905+020020365941Malware Command and Control Activity Detected192.168.2.750084107.175.130.2014645TCP
                      2024-10-06T21:21:27.996264+020020365941Malware Command and Control Activity Detected192.168.2.750085107.175.130.2014645TCP
                      2024-10-06T21:21:29.473027+020020365941Malware Command and Control Activity Detected192.168.2.750086107.175.130.2014645TCP
                      2024-10-06T21:21:30.973310+020020365941Malware Command and Control Activity Detected192.168.2.750087107.175.130.2014645TCP
                      2024-10-06T21:21:32.502052+020020365941Malware Command and Control Activity Detected192.168.2.750088107.175.130.2014645TCP
                      2024-10-06T21:21:34.337414+020020365941Malware Command and Control Activity Detected192.168.2.750089107.175.130.2014645TCP
                      2024-10-06T21:21:35.863471+020020365941Malware Command and Control Activity Detected192.168.2.750090107.175.130.2014645TCP
                      2024-10-06T21:21:37.352614+020020365941Malware Command and Control Activity Detected192.168.2.750091107.175.130.2014645TCP
                      2024-10-06T21:21:39.167591+020020365941Malware Command and Control Activity Detected192.168.2.750092107.175.130.2014645TCP
                      2024-10-06T21:21:40.641133+020020365941Malware Command and Control Activity Detected192.168.2.750093107.175.130.2014645TCP
                      2024-10-06T21:21:42.148206+020020365941Malware Command and Control Activity Detected192.168.2.750094107.175.130.2014645TCP
                      2024-10-06T21:21:43.630698+020020365941Malware Command and Control Activity Detected192.168.2.750095107.175.130.2014645TCP
                      2024-10-06T21:21:45.114217+020020365941Malware Command and Control Activity Detected192.168.2.750096107.175.130.2014645TCP
                      2024-10-06T21:21:47.150758+020020365941Malware Command and Control Activity Detected192.168.2.750097107.175.130.2014645TCP
                      2024-10-06T21:21:48.680895+020020365941Malware Command and Control Activity Detected192.168.2.750098107.175.130.2014645TCP
                      2024-10-06T21:21:50.162682+020020365941Malware Command and Control Activity Detected192.168.2.750099107.175.130.2014645TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeAvira: detected
                      Found malware configuration
                      Source: 00000001.00000002.3788914692.000000000076E000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "michelsrmccontrol.duckdns.org:14645:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-PXKO50", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                      Multi AV Scanner detection for submitted file
                      Source: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeReversingLabs: Detection: 86%
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 1.0.1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.1315853761.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.3788914692.000000000076E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe PID: 7512, type: MEMORYSTR
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                      Machine Learning detection for sample
                      Source: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,1_2_004338C8
                      Source: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe, 00000001.00000000.1315853761.0000000000459000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_aaadc231-3

                      Exploits

                      barindex
                      Yara detected UAC Bypass using CMSTP
                      Source: Yara matchFile source: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 1.0.1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.1315853761.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe PID: 7512, type: MEMORYSTR

                      Privilege Escalation

                      barindex
                      Contains functionality to bypass UAC (CMSTPLUA)
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_00407538 _wcslen,CoGetObject,1_2_00407538
                      Source: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,1_2_0040928E
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,1_2_0041C322
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,1_2_0040C388
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,1_2_004096A0
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,1_2_00408847
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_00407877 FindFirstFileW,FindNextFileW,1_2_00407877
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0044E8F9 FindFirstFileExA,1_2_0044E8F9
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,1_2_0040BB6B
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,1_2_00419B86
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,1_2_0040BD72
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,1_2_00407CD2

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49699 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49701 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49713 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49732 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49764 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49748 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49781 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49801 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49833 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49849 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49881 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49898 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49817 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49931 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49917 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49948 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49965 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49989 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49995 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49998 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50000 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50003 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49990 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50005 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50007 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50004 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50010 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50009 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49992 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49997 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50013 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50002 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50018 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50008 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50021 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50012 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50020 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49999 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50022 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50019 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50023 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50028 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49865 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50030 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50034 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50006 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50037 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49991 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50033 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50016 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50040 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50024 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50026 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50046 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50049 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50048 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50032 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50050 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50029 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50055 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50036 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50041 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50056 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50057 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50060 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50058 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50059 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50061 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50027 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50051 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50065 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50068 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50038 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50045 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50039 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50066 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50062 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50011 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50042 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50075 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50076 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50001 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50067 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50081 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50083 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50071 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50047 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50052 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50084 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50086 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50053 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50088 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50064 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50074 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50093 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50082 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50098 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50070 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50091 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50014 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50085 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50079 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50094 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50099 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50078 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50092 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50087 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50072 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50073 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50097 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50017 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50077 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50080 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50096 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49984 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50025 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50031 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50043 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50015 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50095 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50035 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50044 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50069 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50090 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50054 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50063 -> 107.175.130.20:14645
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:50089 -> 107.175.130.20:14645
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: michelsrmccontrol.duckdns.org
                      Uses dynamic DNS services
                      Source: unknownDNS query: name: michelsrmccontrol.duckdns.org
                      Source: global trafficTCP traffic: 192.168.2.7:49699 -> 107.175.130.20:14645
                      Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_00426D42 recv,1_2_00426D42
                      Source: global trafficDNS traffic detected: DNS query: michelsrmccontrol.duckdns.org
                      Source: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeString found in binary or memory: http://geoplugin.net/json.gp
                      Source: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeString found in binary or memory: http://geoplugin.net/json.gp/C

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to register a low level keyboard hook
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,000000001_2_0040A2F3
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,1_2_0040B749
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,1_2_004168FC
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,1_2_0040B749
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,1_2_0040A41B
                      Source: Yara matchFile source: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 1.0.1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.1315853761.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe PID: 7512, type: MEMORYSTR

                      E-Banking Fraud

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 1.0.1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.1315853761.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.3788914692.000000000076E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe PID: 7512, type: MEMORYSTR

                      Spam, unwanted Advertisements and Ransom Demands

                      barindex
                      Contains functionalty to change the wallpaper
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0041CA73 SystemParametersInfoW,1_2_0041CA73

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 1.0.1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 1.0.1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 1.0.1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 1.2.1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 1.2.1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 1.2.1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000001.00000000.1315853761.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe PID: 7512, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeProcess Stats: CPU usage > 49%
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,1_2_0041330D
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle,1_2_0041BBC6
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle,1_2_0041BB9A
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,1_2_004167EF
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0043706A1_2_0043706A
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_004140051_2_00414005
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0043E11C1_2_0043E11C
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_004541D91_2_004541D9
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_004381E81_2_004381E8
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0041F18B1_2_0041F18B
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_004462701_2_00446270
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0043E34B1_2_0043E34B
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_004533AB1_2_004533AB
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0042742E1_2_0042742E
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_004375661_2_00437566
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0043E5A81_2_0043E5A8
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_004387F01_2_004387F0
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0043797E1_2_0043797E
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_004339D71_2_004339D7
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0044DA491_2_0044DA49
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_00427AD71_2_00427AD7
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0041DBF31_2_0041DBF3
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_00427C401_2_00427C40
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_00437DB31_2_00437DB3
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_00435EEB1_2_00435EEB
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0043DEED1_2_0043DEED
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_00426E9F1_2_00426E9F
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: String function: 00402093 appears 50 times
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: String function: 00401E65 appears 35 times
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: String function: 00434E70 appears 54 times
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: String function: 00434801 appears 42 times
                      Source: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 1.0.1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 1.0.1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 1.0.1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 1.2.1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 1.2.1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 1.2.1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000001.00000000.1315853761.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe PID: 7512, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@1/0@5/1
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,1_2_0041798D
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,1_2_0040F4AF
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource,1_2_0041B539
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,1_2_0041AADB
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-PXKO50
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCommand line argument: PG1_2_0040EA00
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCommand line argument: PG1_2_0040EA00
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCommand line argument: Software\1_2_0040EA00
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCommand line argument: Rmc-PXKO501_2_0040EA00
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCommand line argument: Exe1_2_0040EA00
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCommand line argument: Exe1_2_0040EA00
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCommand line argument: Rmc-PXKO501_2_0040EA00
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCommand line argument: ,aF1_2_0040EA00
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCommand line argument: Inj1_2_0040EA00
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCommand line argument: Inj1_2_0040EA00
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCommand line argument: PG1_2_0040EA00
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCommand line argument: PG1_2_0040EA00
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCommand line argument: PG1_2_0040EA00
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCommand line argument: 8SG1_2_0040EA00
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCommand line argument: exepath1_2_0040EA00
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCommand line argument: PG1_2_0040EA00
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCommand line argument: ,aF1_2_0040EA00
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCommand line argument: 8SG1_2_0040EA00
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCommand line argument: exepath1_2_0040EA00
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCommand line argument: PG1_2_0040EA00
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCommand line argument: licence1_2_0040EA00
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCommand line argument: PG1_2_0040EA00
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCommand line argument: PG1_2_0040EA00
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCommand line argument: PG1_2_0040EA00
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCommand line argument: PG1_2_0040EA00
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCommand line argument: PG1_2_0040EA00
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCommand line argument: PG1_2_0040EA00
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCommand line argument: dMG1_2_0040EA00
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCommand line argument: PG1_2_0040EA00
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCommand line argument: PG1_2_0040EA00
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCommand line argument: PSG1_2_0040EA00
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCommand line argument: Administrator1_2_0040EA00
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCommand line argument: User1_2_0040EA00
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCommand line argument: del1_2_0040EA00
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCommand line argument: del1_2_0040EA00
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCommand line argument: del1_2_0040EA00
                      Source: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeReversingLabs: Detection: 86%
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeSection loaded: rstrtmgr.dllJump to behavior
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                      Source: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,1_2_0041CBE1
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_00457186 push ecx; ret 1_2_00457199
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_00457AA8 push eax; ret 1_2_00457AC6
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_00434EB6 push ecx; ret 1_2_00434EC9
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_00406EEB ShellExecuteW,URLDownloadToFileW,1_2_00406EEB
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,1_2_0041AADB
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,1_2_0041CBE1
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Delayed program exit found
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0040F7E2 Sleep,ExitProcess,1_2_0040F7E2
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,1_2_0041A7D9
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeWindow / User API: threadDelayed 4254Jump to behavior
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeWindow / User API: threadDelayed 5689Jump to behavior
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeAPI coverage: 9.4 %
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe TID: 7528Thread sleep count: 4254 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe TID: 7528Thread sleep time: -12762000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe TID: 7528Thread sleep count: 5689 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe TID: 7528Thread sleep time: -17067000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,1_2_0040928E
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,1_2_0041C322
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,1_2_0040C388
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,1_2_004096A0
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,1_2_00408847
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_00407877 FindFirstFileW,FindNextFileW,1_2_00407877
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0044E8F9 FindFirstFileExA,1_2_0044E8F9
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,1_2_0040BB6B
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,1_2_00419B86
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,1_2_0040BD72
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,1_2_00407CD2
                      Source: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe, 00000001.00000002.3788914692.0000000000793000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeAPI call chain: ExitProcess graph end nodegraph_1-48533
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00434A8A
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,1_2_0041CBE1
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_00443355 mov eax, dword ptr fs:[00000030h]1_2_00443355
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_004120B2 GetProcessHeap,HeapFree,1_2_004120B2
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0043503C
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00434A8A
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0043BB71
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_00434BD8 SetUnhandledExceptionFilter,1_2_00434BD8
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe1_2_00412132
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_00419662 mouse_event,1_2_00419662
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_00434CB6 cpuid 1_2_00434CB6
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: EnumSystemLocalesW,1_2_0045201B
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: EnumSystemLocalesW,1_2_004520B6
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,1_2_00452143
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: GetLocaleInfoW,1_2_00452393
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: EnumSystemLocalesW,1_2_00448484
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,1_2_004524BC
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: GetLocaleInfoW,1_2_004525C3
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,1_2_00452690
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: GetLocaleInfoW,1_2_0044896D
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: GetLocaleInfoA,1_2_0040F90C
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,1_2_00451D58
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: EnumSystemLocalesW,1_2_00451FD0
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_00404F51 GetLocalTime,CreateEventA,CreateThread,1_2_00404F51
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_0041B69E GetComputerNameExW,GetUserNameW,1_2_0041B69E
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: 1_2_00449210 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,1_2_00449210
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 1.0.1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.1315853761.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.3788914692.000000000076E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe PID: 7512, type: MEMORYSTR
                      Contains functionality to steal Chrome passwords or cookies
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data1_2_0040BA4D
                      Contains functionality to steal Firefox passwords or cookies
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\1_2_0040BB6B
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: \key3.db1_2_0040BB6B

                      Remote Access Functionality

                      barindex
                      Detected Remcos RAT
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-PXKO50Jump to behavior
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 1.0.1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.1315853761.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.3788914692.000000000076E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe PID: 7512, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exeCode function: cmd.exe1_2_0040569A

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                      Native API                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      Deobfuscate/Decode Files or Information                      		1
                      OS Credential Dumping                      		2
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		11
                      Ingress Tool Transfer                      		Exfiltration Over Other Network Medium1
                      System Shutdown/Reboot
                      CredentialsDomainsDefault Accounts12
                      Command and Scripting Interpreter                      		1
                      Windows Service                      		1
                      Bypass User Account Control                      		2
                      Obfuscated Files or Information                      		111
                      Input Capture                      		1
                      Account Discovery                      		Remote Desktop Protocol111
                      Input Capture                      		2
                      Encrypted Channel                      		Exfiltration Over Bluetooth1
                      Defacement
                      Email AddressesDNS ServerDomain Accounts2
                      Service Execution                      		Logon Script (Windows)1
                      Access Token Manipulation                      		1
                      DLL Side-Loading                      		2
                      Credentials In Files                      		1
                      System Service Discovery                      		SMB/Windows Admin Shares3
                      Clipboard Data                      		1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                      Windows Service                      		1
                      Bypass User Account Control                      		NTDS2
                      File and Directory Discovery                      		Distributed Component Object ModelInput Capture1
                      Remote Access Software                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                      Process Injection                      		1
                      Virtualization/Sandbox Evasion                      		LSA Secrets23
                      System Information Discovery                      		SSHKeylogging1
                      Non-Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Access Token Manipulation                      		Cached Domain Credentials21
                      Security Software Discovery                      		VNCGUI Input Capture21
                      Application Layer Protocol                      		Data Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Process Injection                      		DCSync1
                      Virtualization/Sandbox Evasion                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                      Process Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                      Application Window Discovery                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                      System Owner/User Discovery                      		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe87%ReversingLabsWin32.Backdoor.Remcos
                      1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe100%AviraBDS/Backdoor.Gen
                      1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://geoplugin.net/json.gp0%URL Reputationsafe
                      http://geoplugin.net/json.gp/C0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      michelsrmccontrol.duckdns.org
                      		107.175.130.20
                      		truetrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        michelsrmccontrol.duckdns.orgtrue
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://geoplugin.net/json.gp1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exefalse
                          • URL Reputation: safe
                          		unknown
                          http://geoplugin.net/json.gp/C1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exefalse
                          • URL Reputation: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          107.175.130.20
                          		michelsrmccontrol.duckdns.orgUnited States
                          		36352AS-COLOCROSSINGUStrue

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1527170
                          Start date and time:2024-10-06 21:16:40 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 6m 23s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:9
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe
                          Detection:MAL
                          Classification:mal100.rans.troj.spyw.expl.evad.winEXE@1/0@5/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 26
                          • Number of non-executed functions: 225
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                          • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • VT rate limit hit for: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          16:32:43API Interceptor4828147x Sleep call for process: 1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          107.175.130.20CxVokk1Xp2.rtfGet hashmaliciousRemcosBrowse
                            A&CMetrology_10002099678.xlsGet hashmaliciousRemcosBrowse

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              michelsrmccontrol.duckdns.orgCxVokk1Xp2.rtfGet hashmaliciousRemcosBrowse
                              • 107.175.130.20
                              A&CMetrology_10002099678.xlsGet hashmaliciousRemcosBrowse
                              • 107.175.130.20

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              AS-COLOCROSSINGUSDSpWOKW7zn.rtfGet hashmaliciousRemcosBrowse
                              • 107.172.130.147
                              IpEmBW3Qw5.rtfGet hashmaliciousUnknownBrowse
                              • 192.3.220.20
                              https://extensivetraders.org/Get hashmaliciousUnknownBrowse
                              • 75.127.1.122
                              DHL Shipment Doc's.xlsGet hashmaliciousRemcosBrowse
                              • 192.3.220.20
                              Swift Copy.xlsGet hashmaliciousUnknownBrowse
                              • 107.172.148.201
                              PO-00536.xlsGet hashmaliciousRemcosBrowse
                              • 192.3.220.20
                              Formularz instrukcji p#U0142atno#U015bci Millennium.xlsGet hashmaliciousRemcosBrowse
                              • 107.172.130.147
                              TTXAPPLICATION.xlsGet hashmaliciousSnake KeyloggerBrowse
                              • 172.245.123.6
                              CxVokk1Xp2.rtfGet hashmaliciousRemcosBrowse
                              • 107.175.130.20
                              UfsYHroDY1.rtfGet hashmaliciousFormBookBrowse
                              • 104.168.7.36

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              No created / dropped files found

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):6.601585859795076
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.96%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe
                              File size:494'592 bytes
                              MD5:1a3fee38ced030e1751a309616c39202
                              SHA1:22225d38e12119d28ad800eab10a9e80d64decb4
                              SHA256:5c98933333dba1be4be8e673353fe8f433de2d21ea955591db12e6ec178a8598
                              SHA512:46e5c3c0681de287234d19e7d03fbf437081b1eb216130b79e2606bd41e29886d8bbf4d9128c1320b4026f4f0e284b3aee3bab5c660078d06967c9699aebe5ad
                              SSDEEP:6144:4Tz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZXAXkcrwuT4:4TlrYw1RUh3NFn+N5WfIQIjbs/ZXYT4
                              TLSH:40B49E01BAD1C072D97514300D3AF776EAB8BD201835497B73EA1D5BFE31190A72AAB7
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.-H..~H..~H..~..'~[..~..%~...~..$~V..~AbR~I..~...~J..~.D..R..~.D..r..~.D..j..~AbE~Q..~H..~v..~.D..,..~.D)~I..~.D..I..~RichH..

                              File Icon

                              Icon Hash:95694d05214c1b33

                              Static PE Info

                              General

                              Entrypoint:0x434a80
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:TERMINAL_SERVER_AWARE
                              Time Stamp:0x66F18049 [Mon Sep 23 14:50:49 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:5
                              OS Version Minor:1
                              File Version Major:5
                              File Version Minor:1
                              Subsystem Version Major:5
                              Subsystem Version Minor:1
                              Import Hash:1389569a3a39186f3eb453b501cfe688

                              Entrypoint Preview

                              Instruction
                              call 00007F0F5D256B6Bh
                              jmp 00007F0F5D2565B3h
                              push ebp
                              mov ebp, esp
                              sub esp, 00000324h
                              push ebx
                              push esi
                              push 00000017h
                              call 00007F0F5D278E03h
                              test eax, eax
                              je 00007F0F5D256727h
                              mov ecx, dword ptr [ebp+08h]
                              int 29h
                              xor esi, esi
                              lea eax, dword ptr [ebp-00000324h]
                              push 000002CCh
                              push esi
                              push eax
                              mov dword ptr [00471D14h], esi
                              call 00007F0F5D258B76h
                              add esp, 0Ch
                              mov dword ptr [ebp-00000274h], eax
                              mov dword ptr [ebp-00000278h], ecx
                              mov dword ptr [ebp-0000027Ch], edx
                              mov dword ptr [ebp-00000280h], ebx
                              mov dword ptr [ebp-00000284h], esi
                              mov dword ptr [ebp-00000288h], edi
                              mov word ptr [ebp-0000025Ch], ss
                              mov word ptr [ebp-00000268h], cs
                              mov word ptr [ebp-0000028Ch], ds
                              mov word ptr [ebp-00000290h], es
                              mov word ptr [ebp-00000294h], fs
                              mov word ptr [ebp-00000298h], gs
                              pushfd
                              pop dword ptr [ebp-00000264h]
                              mov eax, dword ptr [ebp+04h]
                              mov dword ptr [ebp-0000026Ch], eax
                              lea eax, dword ptr [ebp+04h]
                              mov dword ptr [ebp-00000260h], eax
                              mov dword ptr [ebp-00000324h], 00010001h
                              mov eax, dword ptr [eax-04h]
                              push 00000050h
                              mov dword ptr [ebp-00000270h], eax
                              lea eax, dword ptr [ebp-58h]
                              push esi
                              push eax
                              call 00007F0F5D258AEDh

                              Rich Headers

                              Programming Language:
                              • [C++] VS2008 SP1 build 30729
                              • [IMP] VS2008 SP1 build 30729

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x6eeb80x104.rdata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x790000x4b54.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x7e0000x3bc8.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x6d3500x38.rdata
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x6d3e40x18.rdata
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6d3880x40.rdata
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x590000x500.rdata
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000x571f50x57200e504ab64b98631753dc227346d757c52False0.5716379348995696data6.6273936921798455IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rdata0x590000x179dc0x17a0003563836e8ba6bd75dd82177f19b0089False0.5008370535714286data5.862029025853186IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .data0x710000x5d440xe000eaccffe1cb836994ce5d3ccfb22d4f9False0.22126116071428573data3.0035180736120775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .tls0x770000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .gfids0x780000x2300x4009ca325bce9f8c0342c0381814603584aFalse0.330078125data2.3999762503719224IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .rsrc0x790000x4b540x4c00cb31159d8fee1bde4a669aacae30e0e2False0.2841796875data3.9905897434701076IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0x7e0000x3bc80x3c00047d13d1dd0f82094cdf10f08253441eFalse0.7640625data6.723768218094163IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_ICON0x7918c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3421985815602837
                              RT_ICON0x795f40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.27704918032786885
                              RT_ICON0x79f7c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.23686679174484052
                              RT_ICON0x7b0240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.22977178423236513
                              RT_RCDATA0x7d5cc0x546data1.0081481481481482
                              RT_GROUP_ICON0x7db140x3edataEnglishUnited States0.8064516129032258

                              Imports

                              DLLImport
                              KERNEL32.dllFindNextFileA, ExpandEnvironmentStringsA, GetLongPathNameW, CopyFileW, GetLocaleInfoA, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, OpenMutexA, lstrcatW, GetCurrentProcessId, GetTempFileNameW, UnmapViewOfFile, DuplicateHandle, CreateFileMappingW, MapViewOfFile, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, FindFirstFileA, FormatMessageA, FindNextVolumeW, AllocConsole, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, HeapReAlloc, GetACP, GetModuleHandleExW, MoveFileExW, RtlUnwind, RaiseException, LoadLibraryExW, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, GetFileSize, TerminateThread, GetLastError, CreateDirectoryW, GetModuleHandleA, RemoveDirectoryW, MoveFileW, SetFilePointerEx, GetLogicalDriveStringsA, DeleteFileW, DeleteFileA, SetFileAttributesW, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, GetModuleHandleW, ExitProcess, CreateMutexA, GetCurrentProcess, GetProcAddress, LoadLibraryA, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, SetConsoleOutputCP, InitializeCriticalSectionAndSpinCount, MultiByteToWideChar, DecodePointer, EncodePointer, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, WaitForSingleObjectEx, ResetEvent, SetEndOfFile
                              USER32.dllGetMessageA, GetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, DispatchMessageA, SetForegroundWindow, SetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible, CloseWindow, SendInput, EnumDisplaySettingsW, mouse_event, CreatePopupMenu, TranslateMessage, TrackPopupMenu, DefWindowProcA, CreateWindowExA, AppendMenuA, GetSystemMetrics, RegisterClassExA, GetCursorPos, SystemParametersInfoW, GetWindowThreadProcessId, MapVirtualKeyA, DrawIcon, GetIconInfo
                              GDI32.dllBitBlt, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteObject, CreateDCA, GetObjectA, DeleteDC
                              ADVAPI32.dllCryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW, RegDeleteKeyA
                              SHELL32.dllShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW
                              ole32.dllCoInitializeEx, CoUninitialize, CoGetObject
                              SHLWAPI.dllPathFileExistsW, PathFileExistsA, StrToIntA
                              WINMM.dllwaveInOpen, waveInStart, waveInAddBuffer, PlaySoundW, mciSendStringA, mciSendStringW, waveInClose, waveInStop, waveInPrepareHeader, waveInUnprepareHeader
                              WS2_32.dllgethostbyname, send, WSAStartup, closesocket, inet_ntoa, htons, htonl, getservbyname, ntohs, getservbyport, gethostbyaddr, inet_addr, WSASetLastError, WSAGetLastError, recv, connect, socket
                              urlmon.dllURLOpenBlockingStreamW, URLDownloadToFileW
                              gdiplus.dllGdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipAlloc, GdipCloneImage, GdipGetImageEncoders, GdiplusStartup, GdipLoadImageFromStream
                              WININET.dllInternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile

                              Possible Origin

                              Language of compilation systemCountry where language is spokenMap
                              EnglishUnited States

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-10-06T21:17:45.007376+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.749699107.175.130.2014645TCP
                              2024-10-06T21:17:47.780062+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.749701107.175.130.2014645TCP
                              2024-10-06T21:17:50.224730+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.749713107.175.130.2014645TCP
                              2024-10-06T21:17:52.688021+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.749732107.175.130.2014645TCP
                              2024-10-06T21:17:55.126833+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.749748107.175.130.2014645TCP
                              2024-10-06T21:17:57.570628+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.749764107.175.130.2014645TCP
                              2024-10-06T21:18:00.003971+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.749781107.175.130.2014645TCP
                              2024-10-06T21:18:02.459457+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.749801107.175.130.2014645TCP
                              2024-10-06T21:18:04.881275+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.749817107.175.130.2014645TCP
                              2024-10-06T21:18:07.346600+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.749833107.175.130.2014645TCP
                              2024-10-06T21:18:09.762635+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.749849107.175.130.2014645TCP
                              2024-10-06T21:18:12.188031+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.749865107.175.130.2014645TCP
                              2024-10-06T21:18:14.637642+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.749881107.175.130.2014645TCP
                              2024-10-06T21:18:17.054052+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.749898107.175.130.2014645TCP
                              2024-10-06T21:18:19.485301+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.749917107.175.130.2014645TCP
                              2024-10-06T21:18:21.965525+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.749931107.175.130.2014645TCP
                              2024-10-06T21:18:24.405170+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.749948107.175.130.2014645TCP
                              2024-10-06T21:18:26.843456+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.749965107.175.130.2014645TCP
                              2024-10-06T21:18:29.379636+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.749984107.175.130.2014645TCP
                              2024-10-06T21:18:31.817752+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.749989107.175.130.2014645TCP
                              2024-10-06T21:18:34.282874+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.749990107.175.130.2014645TCP
                              2024-10-06T21:18:37.192861+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.749991107.175.130.2014645TCP
                              2024-10-06T21:18:39.677719+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.749992107.175.130.2014645TCP
                              2024-10-06T21:18:42.127026+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.749995107.175.130.2014645TCP
                              2024-10-06T21:18:44.757429+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.749997107.175.130.2014645TCP
                              2024-10-06T21:18:47.173025+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.749998107.175.130.2014645TCP
                              2024-10-06T21:18:49.594937+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.749999107.175.130.2014645TCP
                              2024-10-06T21:18:52.015982+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750000107.175.130.2014645TCP
                              2024-10-06T21:18:54.477716+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750001107.175.130.2014645TCP
                              2024-10-06T21:18:56.937129+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750002107.175.130.2014645TCP
                              2024-10-06T21:18:59.374546+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750003107.175.130.2014645TCP
                              2024-10-06T21:19:01.782855+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750004107.175.130.2014645TCP
                              2024-10-06T21:19:04.222174+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750005107.175.130.2014645TCP
                              2024-10-06T21:19:06.608860+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750006107.175.130.2014645TCP
                              2024-10-06T21:19:08.992000+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750007107.175.130.2014645TCP
                              2024-10-06T21:19:11.365002+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750008107.175.130.2014645TCP
                              2024-10-06T21:19:13.662537+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750009107.175.130.2014645TCP
                              2024-10-06T21:19:15.956423+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750010107.175.130.2014645TCP
                              2024-10-06T21:19:18.204492+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750011107.175.130.2014645TCP
                              2024-10-06T21:19:20.404581+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750012107.175.130.2014645TCP
                              2024-10-06T21:19:22.616980+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750013107.175.130.2014645TCP
                              2024-10-06T21:19:24.784533+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750014107.175.130.2014645TCP
                              2024-10-06T21:19:26.928487+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750015107.175.130.2014645TCP
                              2024-10-06T21:19:29.048435+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750016107.175.130.2014645TCP
                              2024-10-06T21:19:31.155197+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750017107.175.130.2014645TCP
                              2024-10-06T21:19:33.233021+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750018107.175.130.2014645TCP
                              2024-10-06T21:19:35.263496+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750019107.175.130.2014645TCP
                              2024-10-06T21:19:37.347556+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750020107.175.130.2014645TCP
                              2024-10-06T21:19:39.380465+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750021107.175.130.2014645TCP
                              2024-10-06T21:19:41.377416+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750022107.175.130.2014645TCP
                              2024-10-06T21:19:43.348073+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750023107.175.130.2014645TCP
                              2024-10-06T21:19:45.602631+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750024107.175.130.2014645TCP
                              2024-10-06T21:19:47.534513+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750025107.175.130.2014645TCP
                              2024-10-06T21:19:49.457995+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750026107.175.130.2014645TCP
                              2024-10-06T21:19:51.361989+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750027107.175.130.2014645TCP
                              2024-10-06T21:19:53.275823+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750028107.175.130.2014645TCP
                              2024-10-06T21:19:55.127706+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750029107.175.130.2014645TCP
                              2024-10-06T21:19:57.078774+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750030107.175.130.2014645TCP
                              2024-10-06T21:19:58.908399+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750031107.175.130.2014645TCP
                              2024-10-06T21:20:00.982899+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750032107.175.130.2014645TCP
                              2024-10-06T21:20:02.780030+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750033107.175.130.2014645TCP
                              2024-10-06T21:20:04.586365+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750034107.175.130.2014645TCP
                              2024-10-06T21:20:06.380480+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750035107.175.130.2014645TCP
                              2024-10-06T21:20:08.172481+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750036107.175.130.2014645TCP
                              2024-10-06T21:20:09.944588+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750037107.175.130.2014645TCP
                              2024-10-06T21:20:11.708205+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750038107.175.130.2014645TCP
                              2024-10-06T21:20:13.492801+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750039107.175.130.2014645TCP
                              2024-10-06T21:20:15.274478+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750040107.175.130.2014645TCP
                              2024-10-06T21:20:16.989092+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750041107.175.130.2014645TCP
                              2024-10-06T21:20:18.713468+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750042107.175.130.2014645TCP
                              2024-10-06T21:20:20.432034+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750043107.175.130.2014645TCP
                              2024-10-06T21:20:22.128506+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750044107.175.130.2014645TCP
                              2024-10-06T21:20:23.819577+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750045107.175.130.2014645TCP
                              2024-10-06T21:20:25.499127+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750046107.175.130.2014645TCP
                              2024-10-06T21:20:27.245569+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750047107.175.130.2014645TCP
                              2024-10-06T21:20:29.442632+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750048107.175.130.2014645TCP
                              2024-10-06T21:20:31.100993+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750049107.175.130.2014645TCP
                              2024-10-06T21:20:32.738529+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750050107.175.130.2014645TCP
                              2024-10-06T21:20:34.400587+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750051107.175.130.2014645TCP
                              2024-10-06T21:20:36.055488+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750052107.175.130.2014645TCP
                              2024-10-06T21:20:37.712543+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750053107.175.130.2014645TCP
                              2024-10-06T21:20:39.331772+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750054107.175.130.2014645TCP
                              2024-10-06T21:20:40.937975+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750055107.175.130.2014645TCP
                              2024-10-06T21:20:42.552247+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750056107.175.130.2014645TCP
                              2024-10-06T21:20:44.142188+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750057107.175.130.2014645TCP
                              2024-10-06T21:20:45.846778+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750058107.175.130.2014645TCP
                              2024-10-06T21:20:47.421636+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750059107.175.130.2014645TCP
                              2024-10-06T21:20:49.018830+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750060107.175.130.2014645TCP
                              2024-10-06T21:20:50.581656+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750061107.175.130.2014645TCP
                              2024-10-06T21:20:52.159544+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750062107.175.130.2014645TCP
                              2024-10-06T21:20:53.743496+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750063107.175.130.2014645TCP
                              2024-10-06T21:20:55.339574+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750064107.175.130.2014645TCP
                              2024-10-06T21:20:56.924940+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750065107.175.130.2014645TCP
                              2024-10-06T21:20:58.487795+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750066107.175.130.2014645TCP
                              2024-10-06T21:21:00.054365+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750067107.175.130.2014645TCP
                              2024-10-06T21:21:01.595285+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750068107.175.130.2014645TCP
                              2024-10-06T21:21:03.175735+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750069107.175.130.2014645TCP
                              2024-10-06T21:21:04.876288+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750070107.175.130.2014645TCP
                              2024-10-06T21:21:06.443534+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750071107.175.130.2014645TCP
                              2024-10-06T21:21:07.954602+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750072107.175.130.2014645TCP
                              2024-10-06T21:21:09.468570+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750073107.175.130.2014645TCP
                              2024-10-06T21:21:11.025627+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750074107.175.130.2014645TCP
                              2024-10-06T21:21:12.536555+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750075107.175.130.2014645TCP
                              2024-10-06T21:21:14.098755+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750076107.175.130.2014645TCP
                              2024-10-06T21:21:15.618649+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750077107.175.130.2014645TCP
                              2024-10-06T21:21:17.136621+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750078107.175.130.2014645TCP
                              2024-10-06T21:21:18.801222+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750079107.175.130.2014645TCP
                              2024-10-06T21:21:20.318614+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750080107.175.130.2014645TCP
                              2024-10-06T21:21:21.816565+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750081107.175.130.2014645TCP
                              2024-10-06T21:21:23.332199+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750082107.175.130.2014645TCP
                              2024-10-06T21:21:24.816785+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750083107.175.130.2014645TCP
                              2024-10-06T21:21:26.488905+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750084107.175.130.2014645TCP
                              2024-10-06T21:21:27.996264+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750085107.175.130.2014645TCP
                              2024-10-06T21:21:29.473027+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750086107.175.130.2014645TCP
                              2024-10-06T21:21:30.973310+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750087107.175.130.2014645TCP
                              2024-10-06T21:21:32.502052+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750088107.175.130.2014645TCP
                              2024-10-06T21:21:34.337414+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750089107.175.130.2014645TCP
                              2024-10-06T21:21:35.863471+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750090107.175.130.2014645TCP
                              2024-10-06T21:21:37.352614+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750091107.175.130.2014645TCP
                              2024-10-06T21:21:39.167591+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750092107.175.130.2014645TCP
                              2024-10-06T21:21:40.641133+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750093107.175.130.2014645TCP
                              2024-10-06T21:21:42.148206+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750094107.175.130.2014645TCP
                              2024-10-06T21:21:43.630698+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750095107.175.130.2014645TCP
                              2024-10-06T21:21:45.114217+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750096107.175.130.2014645TCP
                              2024-10-06T21:21:47.150758+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750097107.175.130.2014645TCP
                              2024-10-06T21:21:48.680895+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750098107.175.130.2014645TCP
                              2024-10-06T21:21:50.162682+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.750099107.175.130.2014645TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Oct 6, 2024 21:17:42.965441942 CEST4969914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:17:42.970271111 CEST1464549699107.175.130.20192.168.2.7
                              Oct 6, 2024 21:17:42.971534967 CEST4969914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:17:42.976687908 CEST4969914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:17:42.981524944 CEST1464549699107.175.130.20192.168.2.7
                              Oct 6, 2024 21:17:45.007302999 CEST1464549699107.175.130.20192.168.2.7
                              Oct 6, 2024 21:17:45.007375956 CEST4969914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:17:45.007642031 CEST1464549699107.175.130.20192.168.2.7
                              Oct 6, 2024 21:17:45.007690907 CEST4969914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:17:45.007895947 CEST1464549699107.175.130.20192.168.2.7
                              Oct 6, 2024 21:17:45.007946014 CEST4969914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:17:45.008291960 CEST4969914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:17:45.016849041 CEST1464549699107.175.130.20192.168.2.7
                              Oct 6, 2024 21:17:46.017458916 CEST4970114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:17:46.022217989 CEST1464549701107.175.130.20192.168.2.7
                              Oct 6, 2024 21:17:46.022300005 CEST4970114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:17:46.025830030 CEST4970114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:17:46.030611038 CEST1464549701107.175.130.20192.168.2.7
                              Oct 6, 2024 21:17:47.780013084 CEST1464549701107.175.130.20192.168.2.7
                              Oct 6, 2024 21:17:47.780061960 CEST4970114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:17:47.780230999 CEST1464549701107.175.130.20192.168.2.7
                              Oct 6, 2024 21:17:47.780266047 CEST4970114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:17:47.780421019 CEST4970114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:17:47.788683891 CEST1464549701107.175.130.20192.168.2.7
                              Oct 6, 2024 21:17:48.783308029 CEST4971314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:17:48.788063049 CEST1464549713107.175.130.20192.168.2.7
                              Oct 6, 2024 21:17:48.788137913 CEST4971314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:17:48.791646004 CEST4971314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:17:48.796430111 CEST1464549713107.175.130.20192.168.2.7
                              Oct 6, 2024 21:17:50.224661112 CEST1464549713107.175.130.20192.168.2.7
                              Oct 6, 2024 21:17:50.224730015 CEST4971314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:17:50.230751038 CEST4971314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:17:50.235579014 CEST1464549713107.175.130.20192.168.2.7
                              Oct 6, 2024 21:17:51.251328945 CEST4973214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:17:51.256325006 CEST1464549732107.175.130.20192.168.2.7
                              Oct 6, 2024 21:17:51.256407022 CEST4973214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:17:51.260463953 CEST4973214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:17:51.265526056 CEST1464549732107.175.130.20192.168.2.7
                              Oct 6, 2024 21:17:52.687953949 CEST1464549732107.175.130.20192.168.2.7
                              Oct 6, 2024 21:17:52.688020945 CEST4973214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:17:52.688088894 CEST4973214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:17:52.692944050 CEST1464549732107.175.130.20192.168.2.7
                              Oct 6, 2024 21:17:53.704592943 CEST4974814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:17:53.709403038 CEST1464549748107.175.130.20192.168.2.7
                              Oct 6, 2024 21:17:53.709819078 CEST4974814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:17:53.713237047 CEST4974814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:17:53.718821049 CEST1464549748107.175.130.20192.168.2.7
                              Oct 6, 2024 21:17:55.126759052 CEST1464549748107.175.130.20192.168.2.7
                              Oct 6, 2024 21:17:55.126832962 CEST4974814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:17:55.126929998 CEST4974814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:17:55.131738901 CEST1464549748107.175.130.20192.168.2.7
                              Oct 6, 2024 21:17:56.142602921 CEST4976414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:17:56.147453070 CEST1464549764107.175.130.20192.168.2.7
                              Oct 6, 2024 21:17:56.147531033 CEST4976414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:17:56.151401043 CEST4976414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:17:56.156167984 CEST1464549764107.175.130.20192.168.2.7
                              Oct 6, 2024 21:17:57.570483923 CEST1464549764107.175.130.20192.168.2.7
                              Oct 6, 2024 21:17:57.570627928 CEST4976414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:17:57.572719097 CEST4976414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:17:57.577526093 CEST1464549764107.175.130.20192.168.2.7
                              Oct 6, 2024 21:17:58.579204082 CEST4978114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:17:58.584141970 CEST1464549781107.175.130.20192.168.2.7
                              Oct 6, 2024 21:17:58.584240913 CEST4978114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:17:58.587954998 CEST4978114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:17:58.592859030 CEST1464549781107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:00.003907919 CEST1464549781107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:00.003971100 CEST4978114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:00.004046917 CEST4978114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:00.008971930 CEST1464549781107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:01.017189980 CEST4980114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:01.022124052 CEST1464549801107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:01.022258997 CEST4980114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:01.026345968 CEST4980114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:01.031224966 CEST1464549801107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:02.459389925 CEST1464549801107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:02.459456921 CEST4980114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:02.459562063 CEST4980114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:02.464314938 CEST1464549801107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:03.470002890 CEST4981714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:03.474952936 CEST1464549817107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:03.475034952 CEST4981714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:03.478653908 CEST4981714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:03.483680964 CEST1464549817107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:04.881172895 CEST1464549817107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:04.881274939 CEST4981714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:04.881331921 CEST4981714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:05.122519016 CEST1464549817107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:05.124181986 CEST1464549817107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:05.124286890 CEST4981714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:05.892043114 CEST4983314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:05.896995068 CEST1464549833107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:05.897094965 CEST4983314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:05.900563955 CEST4983314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:05.906675100 CEST1464549833107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:07.346541882 CEST1464549833107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:07.346600056 CEST4983314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:07.346677065 CEST4983314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:07.351952076 CEST1464549833107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:08.361207962 CEST4984914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:08.366369009 CEST1464549849107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:08.366481066 CEST4984914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:08.370335102 CEST4984914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:08.375380039 CEST1464549849107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:09.762552977 CEST1464549849107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:09.762634993 CEST4984914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:09.762742996 CEST4984914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:09.767926931 CEST1464549849107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:10.767138958 CEST4986514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:10.771960974 CEST1464549865107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:10.772087097 CEST4986514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:10.775414944 CEST4986514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:10.780185938 CEST1464549865107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:12.184541941 CEST1464549865107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:12.188030958 CEST4986514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:12.188030958 CEST4986514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:12.192876101 CEST1464549865107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:13.204375029 CEST4988114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:13.209213972 CEST1464549881107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:13.209311962 CEST4988114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:13.212779999 CEST4988114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:13.230149031 CEST1464549881107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:14.637450933 CEST1464549881107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:14.637641907 CEST4988114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:14.637672901 CEST4988114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:14.642618895 CEST1464549881107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:15.641864061 CEST4989814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:15.646681070 CEST1464549898107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:15.646796942 CEST4989814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:15.650352001 CEST4989814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:15.655246973 CEST1464549898107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:17.053905010 CEST1464549898107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:17.054052114 CEST4989814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:17.054141998 CEST4989814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:17.060621023 CEST1464549898107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:18.064073086 CEST4991714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:18.068989038 CEST1464549917107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:18.069082022 CEST4991714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:18.072812080 CEST4991714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:18.077711105 CEST1464549917107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:19.485083103 CEST1464549917107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:19.485301018 CEST4991714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:19.485351086 CEST4991714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:19.490212917 CEST1464549917107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:20.502165079 CEST4993114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:20.570177078 CEST1464549931107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:20.570269108 CEST4993114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:20.576270103 CEST4993114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:20.581058979 CEST1464549931107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:21.965446949 CEST1464549931107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:21.965524912 CEST4993114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:21.965581894 CEST4993114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:21.970304012 CEST1464549931107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:22.969871044 CEST4994814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:22.975193977 CEST1464549948107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:22.975295067 CEST4994814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:22.978517056 CEST4994814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:22.983705044 CEST1464549948107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:24.405067921 CEST1464549948107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:24.405169964 CEST4994814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:24.405241966 CEST4994814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:24.410048008 CEST1464549948107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:25.419982910 CEST4996514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:25.424820900 CEST1464549965107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:25.424900055 CEST4996514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:25.428555965 CEST4996514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:25.433396101 CEST1464549965107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:26.843322039 CEST1464549965107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:26.843456030 CEST4996514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:26.843573093 CEST4996514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:26.848292112 CEST1464549965107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:27.845113993 CEST4998414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:27.850028992 CEST1464549984107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:27.850120068 CEST4998414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:27.853492975 CEST4998414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:27.858741999 CEST1464549984107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:29.379563093 CEST1464549984107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:29.379636049 CEST4998414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:29.379714012 CEST4998414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:29.384630919 CEST1464549984107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:30.392076969 CEST4998914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:30.397577047 CEST1464549989107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:30.397650957 CEST4998914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:30.401263952 CEST4998914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:30.406368017 CEST1464549989107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:31.817624092 CEST1464549989107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:31.817751884 CEST4998914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:31.817836046 CEST4998914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:31.822571039 CEST1464549989107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:32.829756021 CEST4999014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:32.834558964 CEST1464549990107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:32.834642887 CEST4999014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:32.838996887 CEST4999014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:32.843839884 CEST1464549990107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:34.282783985 CEST1464549990107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:34.282874107 CEST4999014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:34.282927990 CEST4999014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:34.287767887 CEST1464549990107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:35.298460960 CEST4999114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:35.743535042 CEST1464549991107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:35.743666887 CEST4999114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:35.747832060 CEST4999114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:35.753138065 CEST1464549991107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:37.192776918 CEST1464549991107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:37.192861080 CEST4999114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:37.192934990 CEST4999114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:37.197797060 CEST1464549991107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:38.204685926 CEST4999214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:38.209460974 CEST1464549992107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:38.209556103 CEST4999214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:38.213741064 CEST4999214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:38.218522072 CEST1464549992107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:39.677469969 CEST1464549992107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:39.677719116 CEST4999214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:39.677719116 CEST4999214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:39.682751894 CEST1464549992107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:40.688728094 CEST4999514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:40.693643093 CEST1464549995107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:40.693813086 CEST4999514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:40.697467089 CEST4999514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:40.702379942 CEST1464549995107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:42.126950026 CEST1464549995107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:42.127026081 CEST4999514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:42.127080917 CEST4999514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:42.132002115 CEST1464549995107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:43.315310955 CEST4999714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:43.322254896 CEST1464549997107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:43.322412968 CEST4999714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:43.325923920 CEST4999714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:43.334516048 CEST1464549997107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:44.757229090 CEST1464549997107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:44.757428885 CEST4999714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:44.757428885 CEST4999714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:44.762296915 CEST1464549997107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:45.767158985 CEST4999814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:45.772008896 CEST1464549998107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:45.772105932 CEST4999814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:45.776921034 CEST4999814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:45.781718969 CEST1464549998107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:47.172960043 CEST1464549998107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:47.173024893 CEST4999814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:47.173068047 CEST4999814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:47.177886009 CEST1464549998107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:48.189007998 CEST4999914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:48.193921089 CEST1464549999107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:48.194025040 CEST4999914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:48.197527885 CEST4999914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:48.202347994 CEST1464549999107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:49.592200041 CEST1464549999107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:49.594937086 CEST4999914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:49.594937086 CEST4999914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:49.599854946 CEST1464549999107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:50.611360073 CEST5000014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:50.616297007 CEST1464550000107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:50.616406918 CEST5000014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:50.619898081 CEST5000014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:50.624747992 CEST1464550000107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:52.013010979 CEST1464550000107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:52.015981913 CEST5000014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:52.016032934 CEST5000014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:52.020818949 CEST1464550000107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:53.032819986 CEST5000114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:53.037585974 CEST1464550001107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:53.037647009 CEST5000114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:53.043374062 CEST5000114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:53.048115969 CEST1464550001107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:54.477600098 CEST1464550001107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:54.477715969 CEST5000114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:54.477773905 CEST5000114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:54.482568026 CEST1464550001107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:55.488117933 CEST5000214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:55.495718002 CEST1464550002107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:55.495949030 CEST5000214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:55.500067949 CEST5000214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:55.504990101 CEST1464550002107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:56.937077045 CEST1464550002107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:56.937129021 CEST5000214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:56.937182903 CEST5000214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:56.942037106 CEST1464550002107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:57.939078093 CEST5000314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:57.943876028 CEST1464550003107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:57.946712017 CEST5000314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:57.950012922 CEST5000314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:57.954857111 CEST1464550003107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:59.373394966 CEST1464550003107.175.130.20192.168.2.7
                              Oct 6, 2024 21:18:59.374546051 CEST5000314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:59.374579906 CEST5000314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:18:59.381536007 CEST1464550003107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:00.376692057 CEST5000414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:00.382713079 CEST1464550004107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:00.382792950 CEST5000414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:00.386775970 CEST5000414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:00.391571999 CEST1464550004107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:01.782782078 CEST1464550004107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:01.782855034 CEST5000414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:01.782883883 CEST5000414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:01.787756920 CEST1464550004107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:02.798329115 CEST5000514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:02.803143024 CEST1464550005107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:02.804449081 CEST5000514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:02.807775021 CEST5000514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:02.812561989 CEST1464550005107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:04.222002983 CEST1464550005107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:04.222173929 CEST5000514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:04.222173929 CEST5000514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:04.227098942 CEST1464550005107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:05.204359055 CEST5000614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:05.209228039 CEST1464550006107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:05.209305048 CEST5000614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:05.213742018 CEST5000614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:05.218554974 CEST1464550006107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:06.608714104 CEST1464550006107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:06.608860016 CEST5000614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:06.608927965 CEST5000614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:06.613686085 CEST1464550006107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:07.548284054 CEST5000714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:07.553298950 CEST1464550007107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:07.556435108 CEST5000714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:07.559776068 CEST5000714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:07.564644098 CEST1464550007107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:08.991923094 CEST1464550007107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:08.992000103 CEST5000714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:08.992050886 CEST5000714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:08.996793032 CEST1464550007107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:09.907943010 CEST5000814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:09.914671898 CEST1464550008107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:09.920500994 CEST5000814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:09.924021959 CEST5000814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:09.929276943 CEST1464550008107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:11.364953995 CEST1464550008107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:11.365001917 CEST5000814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:11.365071058 CEST5000814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:11.369848967 CEST1464550008107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:12.251302004 CEST5000914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:12.256175995 CEST1464550009107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:12.256274939 CEST5000914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:12.259538889 CEST5000914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:12.264312029 CEST1464550009107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:13.659034967 CEST1464550009107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:13.662537098 CEST5000914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:13.662590981 CEST5000914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:13.668355942 CEST1464550009107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:14.516875982 CEST5001014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:14.522825003 CEST1464550010107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:14.522897959 CEST5001014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:14.526026011 CEST5001014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:14.531754017 CEST1464550010107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:15.955148935 CEST1464550010107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:15.956423044 CEST5001014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:15.960366011 CEST5001014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:15.965200901 CEST1464550010107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:16.783011913 CEST5001114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:16.788605928 CEST1464550011107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:16.788707018 CEST5001114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:16.792768002 CEST5001114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:16.797610998 CEST1464550011107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:18.204216003 CEST1464550011107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:18.204492092 CEST5001114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:18.204621077 CEST5001114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:18.209355116 CEST1464550011107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:19.001589060 CEST5001214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:19.006788969 CEST1464550012107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:19.006886959 CEST5001214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:19.010008097 CEST5001214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:19.014987946 CEST1464550012107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:20.404485941 CEST1464550012107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:20.404581070 CEST5001214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:20.404629946 CEST5001214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:20.409459114 CEST1464550012107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:21.176368952 CEST5001314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:21.181231976 CEST1464550013107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:21.184565067 CEST5001314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:21.189227104 CEST5001314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:21.193984985 CEST1464550013107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:22.616915941 CEST1464550013107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:22.616980076 CEST5001314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:22.617022991 CEST5001314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:22.621841908 CEST1464550013107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:23.361362934 CEST5001414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:23.366238117 CEST1464550014107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:23.368433952 CEST5001414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:23.371675014 CEST5001414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:23.376414061 CEST1464550014107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:24.783971071 CEST1464550014107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:24.784533024 CEST5001414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:24.784733057 CEST5001414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:24.789587021 CEST1464550014107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:25.501643896 CEST5001514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:25.506491899 CEST1464550015107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:25.506572008 CEST5001514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:25.509861946 CEST5001514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:25.514655113 CEST1464550015107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:26.928004980 CEST1464550015107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:26.928487062 CEST5001514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:26.928932905 CEST5001514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:26.933726072 CEST1464550015107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:27.627496004 CEST5001614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:27.632503986 CEST1464550016107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:27.632586002 CEST5001614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:27.635768890 CEST5001614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:27.640641928 CEST1464550016107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:29.045502901 CEST1464550016107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:29.048434973 CEST5001614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:29.048476934 CEST5001614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:29.053447962 CEST1464550016107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:29.744251966 CEST5001714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:29.749133110 CEST1464550017107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:29.749213934 CEST5001714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:29.843024969 CEST5001714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:29.847908020 CEST1464550017107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:31.155112028 CEST1464550017107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:31.155196905 CEST5001714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:31.155230999 CEST5001714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:31.161128044 CEST1464550017107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:31.813815117 CEST5001814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:31.818700075 CEST1464550018107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:31.818773985 CEST5001814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:31.822674990 CEST5001814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:31.827486992 CEST1464550018107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:33.232969999 CEST1464550018107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:33.233021021 CEST5001814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:33.233071089 CEST5001814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:33.237946987 CEST1464550018107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:33.861336946 CEST5001914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:33.866170883 CEST1464550019107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:33.866266012 CEST5001914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:33.870974064 CEST5001914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:33.875771046 CEST1464550019107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:35.263108015 CEST1464550019107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:35.263495922 CEST5001914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:35.263536930 CEST5001914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:35.268341064 CEST1464550019107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:35.876671076 CEST5002014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:35.881599903 CEST1464550020107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:35.881661892 CEST5002014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:35.885947943 CEST5002014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:35.892029047 CEST1464550020107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:37.345909119 CEST1464550020107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:37.347556114 CEST5002014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:37.347603083 CEST5002014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:37.352407932 CEST1464550020107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:37.950028896 CEST5002114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:37.954981089 CEST1464550021107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:37.955049992 CEST5002114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:37.958678961 CEST5002114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:37.963449955 CEST1464550021107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:39.376952887 CEST1464550021107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:39.380465031 CEST5002114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:39.380546093 CEST5002114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:39.385376930 CEST1464550021107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:39.954781055 CEST5002214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:39.959645987 CEST1464550022107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:39.959774971 CEST5002214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:39.963455915 CEST5002214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:39.968235016 CEST1464550022107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:41.377315998 CEST1464550022107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:41.377415895 CEST5002214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:41.377415895 CEST5002214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:41.382345915 CEST1464550022107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:41.923466921 CEST5002314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:41.928323030 CEST1464550023107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:41.930556059 CEST5002314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:41.933887959 CEST5002314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:41.939377069 CEST1464550023107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:43.348002911 CEST1464550023107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:43.348073006 CEST5002314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:43.348115921 CEST5002314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:43.352997065 CEST1464550023107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:44.008711100 CEST5002414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:44.013549089 CEST1464550024107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:44.013653040 CEST5002414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:44.017031908 CEST5002414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:44.021933079 CEST1464550024107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:45.602159977 CEST1464550024107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:45.602631092 CEST5002414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:45.602672100 CEST5002414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:45.609071016 CEST1464550024107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:46.127580881 CEST5002514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:46.132509947 CEST1464550025107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:46.136451960 CEST5002514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:46.139662027 CEST5002514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:46.144418955 CEST1464550025107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:47.534427881 CEST1464550025107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:47.534512997 CEST5002514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:47.534600019 CEST5002514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:47.539457083 CEST1464550025107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:48.033349037 CEST5002614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:48.038304090 CEST1464550026107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:48.038398027 CEST5002614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:48.041863918 CEST5002614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:48.046732903 CEST1464550026107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:49.455452919 CEST1464550026107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:49.457994938 CEST5002614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:49.458118916 CEST5002614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:49.463160038 CEST1464550026107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:49.939192057 CEST5002714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:49.944067955 CEST1464550027107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:49.944473028 CEST5002714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:49.947812080 CEST5002714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:49.952703953 CEST1464550027107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:51.361794949 CEST1464550027107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:51.361989021 CEST5002714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:51.361989021 CEST5002714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:51.366858006 CEST1464550027107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:51.831768036 CEST5002814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:51.836639881 CEST1464550028107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:51.836724043 CEST5002814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:51.842487097 CEST5002814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:51.847279072 CEST1464550028107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:53.275741100 CEST1464550028107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:53.275823116 CEST5002814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:53.275866985 CEST5002814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:53.280728102 CEST1464550028107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:53.720464945 CEST5002914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:53.725544930 CEST1464550029107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:53.728470087 CEST5002914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:53.733119011 CEST5002914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:53.737922907 CEST1464550029107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:55.127630949 CEST1464550029107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:55.127706051 CEST5002914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:55.127742052 CEST5002914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:55.132641077 CEST1464550029107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:55.564208031 CEST5003014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:55.569072962 CEST1464550030107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:55.569139957 CEST5003014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:55.574532032 CEST5003014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:55.579427958 CEST1464550030107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:57.078697920 CEST1464550030107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:57.078773975 CEST5003014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:57.078810930 CEST5003014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:57.195580006 CEST1464550030107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:57.502302885 CEST5003114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:57.507184029 CEST1464550031107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:57.507306099 CEST5003114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:57.511687040 CEST5003114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:57.516489029 CEST1464550031107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:58.908296108 CEST1464550031107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:58.908399105 CEST5003114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:58.908483982 CEST5003114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:58.913408995 CEST1464550031107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:59.314889908 CEST5003214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:59.548639059 CEST1464550032107.175.130.20192.168.2.7
                              Oct 6, 2024 21:19:59.548963070 CEST5003214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:59.552429914 CEST5003214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:19:59.557862043 CEST1464550032107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:00.982844114 CEST1464550032107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:00.982898951 CEST5003214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:00.983007908 CEST5003214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:00.987730026 CEST1464550032107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:01.376566887 CEST5003314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:01.381370068 CEST1464550033107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:01.381582975 CEST5003314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:01.384671926 CEST5003314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:01.389566898 CEST1464550033107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:02.779961109 CEST1464550033107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:02.780030012 CEST5003314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:02.780073881 CEST5003314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:02.784898043 CEST1464550033107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:03.158413887 CEST5003414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:03.163254976 CEST1464550034107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:03.163331032 CEST5003414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:03.166635990 CEST5003414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:03.171449900 CEST1464550034107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:04.586276054 CEST1464550034107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:04.586364985 CEST5003414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:04.586410999 CEST5003414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:04.591137886 CEST1464550034107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:04.955410004 CEST5003514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:04.960426092 CEST1464550035107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:04.963404894 CEST5003514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:04.963872910 CEST5003514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:04.968720913 CEST1464550035107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:06.380011082 CEST1464550035107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:06.380480051 CEST5003514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:06.395006895 CEST5003514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:06.399912119 CEST1464550035107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:06.751547098 CEST5003614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:06.757415056 CEST1464550036107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:06.757563114 CEST5003614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:06.770504951 CEST5003614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:06.775311947 CEST1464550036107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:08.171185017 CEST1464550036107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:08.172481060 CEST5003614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:08.172524929 CEST5003614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:08.177340031 CEST1464550036107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:08.517052889 CEST5003714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:08.522064924 CEST1464550037107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:08.522130966 CEST5003714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:08.525754929 CEST5003714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:08.530678988 CEST1464550037107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:09.941915989 CEST1464550037107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:09.944587946 CEST5003714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:09.944639921 CEST5003714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:09.949385881 CEST1464550037107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:10.283076048 CEST5003814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:10.287935019 CEST1464550038107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:10.291098118 CEST5003814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:10.298530102 CEST5003814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:10.303342104 CEST1464550038107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:11.706041098 CEST1464550038107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:11.708204985 CEST5003814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:11.708254099 CEST5003814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:11.713330984 CEST1464550038107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:12.047116041 CEST5003914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:12.052164078 CEST1464550039107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:12.052558899 CEST5003914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:12.055735111 CEST5003914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:12.060631990 CEST1464550039107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:13.492654085 CEST1464550039107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:13.492800951 CEST5003914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:13.492914915 CEST5003914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:13.497731924 CEST1464550039107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:13.813855886 CEST5004014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:13.818758011 CEST1464550040107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:13.823018074 CEST5004014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:13.826313972 CEST5004014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:13.831581116 CEST1464550040107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:15.274341106 CEST1464550040107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:15.274477959 CEST5004014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:15.274497032 CEST5004014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:15.279418945 CEST1464550040107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:15.579499960 CEST5004114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:15.584340096 CEST1464550041107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:15.584486961 CEST5004114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:15.587805033 CEST5004114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:15.592679977 CEST1464550041107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:16.988960028 CEST1464550041107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:16.989092112 CEST5004114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:16.989125013 CEST5004114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:16.993999958 CEST1464550041107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:17.282706022 CEST5004214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:17.287719965 CEST1464550042107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:17.287914038 CEST5004214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:17.297672033 CEST5004214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:17.302587986 CEST1464550042107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:18.713398933 CEST1464550042107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:18.713468075 CEST5004214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:18.716675997 CEST5004214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:18.721586943 CEST1464550042107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:19.001800060 CEST5004314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:19.006681919 CEST1464550043107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:19.006758928 CEST5004314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:19.010291100 CEST5004314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:19.015054941 CEST1464550043107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:20.430823088 CEST1464550043107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:20.432034016 CEST5004314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:20.433454037 CEST5004314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:20.438251972 CEST1464550043107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:20.704929113 CEST5004414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:20.709882021 CEST1464550044107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:20.709959030 CEST5004414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:20.713430882 CEST5004414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:20.718250036 CEST1464550044107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:22.128034115 CEST1464550044107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:22.128505945 CEST5004414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:22.128566980 CEST5004414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:22.133352995 CEST1464550044107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:22.392607927 CEST5004514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:22.397569895 CEST1464550045107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:22.400542021 CEST5004514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:22.405319929 CEST5004514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:22.410252094 CEST1464550045107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:23.819493055 CEST1464550045107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:23.819576979 CEST5004514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:23.819689035 CEST5004514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:23.824668884 CEST1464550045107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:24.079672098 CEST5004614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:24.084707975 CEST1464550046107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:24.087729931 CEST5004614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:24.090799093 CEST5004614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:24.095647097 CEST1464550046107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:25.498976946 CEST1464550046107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:25.499126911 CEST5004614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:25.499161005 CEST5004614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:25.509180069 CEST1464550046107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:25.751395941 CEST5004714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:25.756256104 CEST1464550047107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:25.758970022 CEST5004714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:25.762363911 CEST5004714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:25.767175913 CEST1464550047107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:27.245511055 CEST1464550047107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:27.245568991 CEST5004714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:27.245636940 CEST5004714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:27.250479937 CEST1464550047107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:27.485925913 CEST5004814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:27.491007090 CEST1464550048107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:27.491101980 CEST5004814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:27.495743036 CEST5004814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:27.500659943 CEST1464550048107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:29.442559004 CEST1464550048107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:29.442631960 CEST5004814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:29.442725897 CEST5004814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:29.442861080 CEST1464550048107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:29.442913055 CEST5004814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:29.443202972 CEST1464550048107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:29.443245888 CEST5004814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:29.456008911 CEST1464550048107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:29.673176050 CEST5004914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:29.678200960 CEST1464550049107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:29.678302050 CEST5004914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:29.681788921 CEST5004914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:29.686625004 CEST1464550049107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:31.100857019 CEST1464550049107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:31.100992918 CEST5004914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:31.101053953 CEST5004914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:31.105977058 CEST1464550049107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:31.330493927 CEST5005014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:31.335452080 CEST1464550050107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:31.335558891 CEST5005014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:31.338826895 CEST5005014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:31.344059944 CEST1464550050107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:32.738423109 CEST1464550050107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:32.738528967 CEST5005014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:32.741022110 CEST5005014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:32.745899916 CEST1464550050107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:32.954655886 CEST5005114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:32.959669113 CEST1464550051107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:32.959759951 CEST5005114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:32.963047028 CEST5005114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:32.967894077 CEST1464550051107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:34.398000002 CEST1464550051107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:34.400587082 CEST5005114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:34.400619984 CEST5005114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:34.405425072 CEST1464550051107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:34.610991001 CEST5005214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:34.616374016 CEST1464550052107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:34.616446972 CEST5005214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:34.619688988 CEST5005214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:34.624540091 CEST1464550052107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:36.054471016 CEST1464550052107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:36.055488110 CEST5005214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:36.055537939 CEST5005214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:36.061352015 CEST1464550052107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:36.267848015 CEST5005314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:36.272748947 CEST1464550053107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:36.276563883 CEST5005314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:36.280375957 CEST5005314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:36.285239935 CEST1464550053107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:37.712246895 CEST1464550053107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:37.712543011 CEST5005314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:37.712585926 CEST5005314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:37.717350960 CEST1464550053107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:37.916445971 CEST5005414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:37.921474934 CEST1464550054107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:37.921572924 CEST5005414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:37.930243015 CEST5005414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:37.935126066 CEST1464550054107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:39.331701040 CEST1464550054107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:39.331772089 CEST5005414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:39.331816912 CEST5005414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:39.336597919 CEST1464550054107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:39.516911983 CEST5005514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:39.521723986 CEST1464550055107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:39.521826982 CEST5005514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:39.525253057 CEST5005514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:39.530127048 CEST1464550055107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:40.937839985 CEST1464550055107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:40.937974930 CEST5005514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:40.938014030 CEST5005514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:40.942898035 CEST1464550055107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:41.126595974 CEST5005614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:41.131850004 CEST1464550056107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:41.131963968 CEST5005614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:41.135741949 CEST5005614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:41.140732050 CEST1464550056107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:42.552119017 CEST1464550056107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:42.552247047 CEST5005614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:42.552303076 CEST5005614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:42.557094097 CEST1464550056107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:42.735907078 CEST5005714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:42.740710974 CEST1464550057107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:42.740781069 CEST5005714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:42.745028973 CEST5005714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:42.749918938 CEST1464550057107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:44.142047882 CEST1464550057107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:44.142188072 CEST5005714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:44.142188072 CEST5005714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:44.147034883 CEST1464550057107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:44.432497025 CEST5005814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:44.437434912 CEST1464550058107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:44.437562943 CEST5005814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:44.440922976 CEST5005814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:44.445848942 CEST1464550058107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:45.846673965 CEST1464550058107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:45.846777916 CEST5005814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:45.846887112 CEST5005814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:45.851650000 CEST1464550058107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:46.017003059 CEST5005914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:46.021929026 CEST1464550059107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:46.022030115 CEST5005914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:46.025124073 CEST5005914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:46.029973984 CEST1464550059107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:47.421509027 CEST1464550059107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:47.421636105 CEST5005914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:47.421636105 CEST5005914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:47.426826000 CEST1464550059107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:47.579480886 CEST5006014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:47.584444046 CEST1464550060107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:47.584619045 CEST5006014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:47.587871075 CEST5006014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:47.592700958 CEST1464550060107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:49.018759966 CEST1464550060107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:49.018830061 CEST5006014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:49.018855095 CEST5006014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:49.023720026 CEST1464550060107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:49.173386097 CEST5006114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:49.178335905 CEST1464550061107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:49.178432941 CEST5006114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:49.181229115 CEST5006114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:49.186031103 CEST1464550061107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:50.581576109 CEST1464550061107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:50.581655979 CEST5006114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:50.581676006 CEST5006114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:50.586555958 CEST1464550061107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:50.735909939 CEST5006214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:50.740952015 CEST1464550062107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:50.741024971 CEST5006214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:50.745697975 CEST5006214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:50.750530005 CEST1464550062107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:52.159473896 CEST1464550062107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:52.159543991 CEST5006214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:52.159646988 CEST5006214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:52.164443970 CEST1464550062107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:52.314702988 CEST5006314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:52.319505930 CEST1464550063107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:52.319571018 CEST5006314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:52.323695898 CEST5006314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:52.328471899 CEST1464550063107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:53.743431091 CEST1464550063107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:53.743495941 CEST5006314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:53.743565083 CEST5006314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:53.748378038 CEST1464550063107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:53.892225981 CEST5006414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:53.897136927 CEST1464550064107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:53.897205114 CEST5006414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:53.900757074 CEST5006414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:53.905534029 CEST1464550064107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:55.339510918 CEST1464550064107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:55.339574099 CEST5006414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:55.339659929 CEST5006414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:55.344449043 CEST1464550064107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:55.486287117 CEST5006514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:55.491080046 CEST1464550065107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:55.491152048 CEST5006514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:55.495938063 CEST5006514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:55.500914097 CEST1464550065107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:56.924778938 CEST1464550065107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:56.924940109 CEST5006514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:56.925378084 CEST5006514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:56.930093050 CEST1464550065107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:57.063962936 CEST5006614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:57.069128036 CEST1464550066107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:57.069228888 CEST5006614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:57.072508097 CEST5006614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:57.077698946 CEST1464550066107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:58.487720013 CEST1464550066107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:58.487795115 CEST5006614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:58.487903118 CEST5006614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:58.492702961 CEST1464550066107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:58.610795021 CEST5006714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:58.616146088 CEST1464550067107.175.130.20192.168.2.7
                              Oct 6, 2024 21:20:58.616225958 CEST5006714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:58.619570017 CEST5006714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:20:58.624672890 CEST1464550067107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:00.054277897 CEST1464550067107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:00.054364920 CEST5006714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:00.054438114 CEST5006714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:00.059216976 CEST1464550067107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:00.189091921 CEST5006814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:00.194108963 CEST1464550068107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:00.194205999 CEST5006814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:00.198393106 CEST5006814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:00.203464985 CEST1464550068107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:01.595189095 CEST1464550068107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:01.595284939 CEST5006814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:01.596049070 CEST5006814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:01.600899935 CEST1464550068107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:01.721117973 CEST5006914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:01.727097034 CEST1464550069107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:01.727592945 CEST5006914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:01.730781078 CEST5006914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:01.735765934 CEST1464550069107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:03.175503969 CEST1464550069107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:03.175734997 CEST5006914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:03.175859928 CEST5006914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:03.180629015 CEST1464550069107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:03.298504114 CEST5007014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:03.303469896 CEST1464550070107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:03.303580999 CEST5007014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:03.306915998 CEST5007014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:03.311732054 CEST1464550070107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:04.876209021 CEST1464550070107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:04.876287937 CEST5007014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:04.890285015 CEST5007014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:04.898101091 CEST1464550070107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:05.017110109 CEST5007114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:05.022067070 CEST1464550071107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:05.022154093 CEST5007114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:05.024934053 CEST5007114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:05.029769897 CEST1464550071107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:06.441312075 CEST1464550071107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:06.443533897 CEST5007114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:06.443533897 CEST5007114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:06.448373079 CEST1464550071107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:06.548415899 CEST5007214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:06.553317070 CEST1464550072107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:06.556612015 CEST5007214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:06.559772015 CEST5007214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:06.564640045 CEST1464550072107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:07.954541922 CEST1464550072107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:07.954602003 CEST5007214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:07.954638004 CEST5007214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:07.959628105 CEST1464550072107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:08.065342903 CEST5007314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:08.071145058 CEST1464550073107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:08.072542906 CEST5007314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:08.075874090 CEST5007314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:08.081597090 CEST1464550073107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:09.468503952 CEST1464550073107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:09.468569994 CEST5007314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:09.468669891 CEST5007314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:09.473469973 CEST1464550073107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:09.579879999 CEST5007414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:09.584862947 CEST1464550074107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:09.584969044 CEST5007414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:09.588284016 CEST5007414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:09.593084097 CEST1464550074107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:11.025547028 CEST1464550074107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:11.025626898 CEST5007414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:11.025690079 CEST5007414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:11.030479908 CEST1464550074107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:11.127142906 CEST5007514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:11.134084940 CEST1464550075107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:11.134176970 CEST5007514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:11.141035080 CEST5007514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:11.145996094 CEST1464550075107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:12.533085108 CEST1464550075107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:12.536555052 CEST5007514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:12.536705017 CEST5007514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:12.543986082 CEST1464550075107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:12.642195940 CEST5007614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:12.647147894 CEST1464550076107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:12.647218943 CEST5007614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:12.650983095 CEST5007614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:12.655811071 CEST1464550076107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:14.098637104 CEST1464550076107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:14.098754883 CEST5007614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:14.098953009 CEST5007614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:14.103781939 CEST1464550076107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:14.190226078 CEST5007714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:14.199543953 CEST1464550077107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:14.199668884 CEST5007714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:14.202954054 CEST5007714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:14.207864046 CEST1464550077107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:15.615237951 CEST1464550077107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:15.618649006 CEST5007714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:15.619012117 CEST5007714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:15.623783112 CEST1464550077107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:15.706233025 CEST5007814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:15.711194038 CEST1464550078107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:15.711256981 CEST5007814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:15.716677904 CEST5007814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:15.721556902 CEST1464550078107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:17.132920980 CEST1464550078107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:17.136620998 CEST5007814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:17.136657953 CEST5007814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:17.220280886 CEST5007914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:17.371279955 CEST1464550078107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:17.371350050 CEST5007814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:17.372308016 CEST1464550078107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:17.372328997 CEST1464550079107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:17.372416019 CEST5007914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:17.376214981 CEST5007914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:17.381119013 CEST1464550079107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:18.801153898 CEST1464550079107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:18.801222086 CEST5007914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:18.801270962 CEST5007914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:18.806094885 CEST1464550079107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:18.892251015 CEST5008014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:18.897141933 CEST1464550080107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:18.897228003 CEST5008014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:18.900547981 CEST5008014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:18.905340910 CEST1464550080107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:20.318414927 CEST1464550080107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:20.318614006 CEST5008014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:20.318670034 CEST5008014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:20.323795080 CEST1464550080107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:20.407919884 CEST5008114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:20.412777901 CEST1464550081107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:20.414081097 CEST5008114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:20.417664051 CEST5008114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:20.422408104 CEST1464550081107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:21.814202070 CEST1464550081107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:21.816565037 CEST5008114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:21.816632986 CEST5008114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:21.821527958 CEST1464550081107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:21.892644882 CEST5008214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:21.897512913 CEST1464550082107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:21.900567055 CEST5008214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:21.903848886 CEST5008214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:21.908620119 CEST1464550082107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:23.332098961 CEST1464550082107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:23.332199097 CEST5008214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:23.332287073 CEST5008214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:23.337044954 CEST1464550082107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:23.407792091 CEST5008314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:23.412805080 CEST1464550083107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:23.413110018 CEST5008314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:23.416318893 CEST5008314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:23.421092033 CEST1464550083107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:24.816726923 CEST1464550083107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:24.816785097 CEST5008314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:24.816848040 CEST5008314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:24.821739912 CEST1464550083107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:24.892879963 CEST5008414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:25.085206985 CEST1464550084107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:25.088598967 CEST5008414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:25.091911077 CEST5008414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:25.096739054 CEST1464550084107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:26.488841057 CEST1464550084107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:26.488904953 CEST5008414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:26.488944054 CEST5008414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:26.493820906 CEST1464550084107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:26.564677000 CEST5008514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:26.569813013 CEST1464550085107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:26.569937944 CEST5008514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:26.574038982 CEST5008514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:26.578994989 CEST1464550085107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:27.996200085 CEST1464550085107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:27.996263981 CEST5008514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:27.996316910 CEST5008514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:28.001149893 CEST1464550085107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:28.064599991 CEST5008614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:28.069514990 CEST1464550086107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:28.069603920 CEST5008614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:28.074613094 CEST5008614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:28.079576969 CEST1464550086107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:29.472950935 CEST1464550086107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:29.473026991 CEST5008614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:29.473061085 CEST5008614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:29.477905035 CEST1464550086107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:29.548566103 CEST5008714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:29.553735018 CEST1464550087107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:29.554725885 CEST5008714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:29.558065891 CEST5008714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:29.562994003 CEST1464550087107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:30.973232985 CEST1464550087107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:30.973309994 CEST5008714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:30.973377943 CEST5008714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:30.978244066 CEST1464550087107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:31.090552092 CEST5008814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:31.095626116 CEST1464550088107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:31.095962048 CEST5008814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:31.099153996 CEST5008814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:31.104073048 CEST1464550088107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:32.501969099 CEST1464550088107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:32.502052069 CEST5008814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:32.502106905 CEST5008814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:32.506840944 CEST1464550088107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:32.564095974 CEST5008914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:32.569036961 CEST1464550089107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:32.569133043 CEST5008914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:32.572382927 CEST5008914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:32.577233076 CEST1464550089107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:34.337224007 CEST1464550089107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:34.337414026 CEST5008914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:34.337476015 CEST5008914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:34.338093042 CEST1464550089107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:34.338175058 CEST5008914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:34.342334032 CEST1464550089107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:34.407968998 CEST5009014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:34.413103104 CEST1464550090107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:34.413188934 CEST5009014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:34.416779041 CEST5009014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:34.421643019 CEST1464550090107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:35.863398075 CEST1464550090107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:35.863471031 CEST5009014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:35.866107941 CEST5009014645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:35.870944977 CEST1464550090107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:35.924254894 CEST5009114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:35.929198027 CEST1464550091107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:35.929270029 CEST5009114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:35.935447931 CEST5009114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:35.940291882 CEST1464550091107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:37.350476027 CEST1464550091107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:37.352613926 CEST5009114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:37.352674007 CEST5009114645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:37.357587099 CEST1464550091107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:37.407928944 CEST5009214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:37.728574991 CEST1464550092107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:37.728652954 CEST5009214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:37.731442928 CEST5009214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:37.736259937 CEST1464550092107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:39.165077925 CEST1464550092107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:39.167591095 CEST5009214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:39.167639971 CEST5009214645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:39.172401905 CEST1464550092107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:39.220354080 CEST5009314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:39.225323915 CEST1464550093107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:39.228584051 CEST5009314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:39.231534958 CEST5009314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:39.236438036 CEST1464550093107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:40.641055107 CEST1464550093107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:40.641133070 CEST5009314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:40.641177893 CEST5009314645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:40.646043062 CEST1464550093107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:40.704658985 CEST5009414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:40.709728003 CEST1464550094107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:40.712575912 CEST5009414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:40.715699911 CEST5009414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:40.720576048 CEST1464550094107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:42.145159960 CEST1464550094107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:42.148205996 CEST5009414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:42.148252964 CEST5009414645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:42.153099060 CEST1464550094107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:42.204951048 CEST5009514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:42.209932089 CEST1464550095107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:42.210082054 CEST5009514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:42.213524103 CEST5009514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:42.218400002 CEST1464550095107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:43.630588055 CEST1464550095107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:43.630697966 CEST5009514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:43.630753994 CEST5009514645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:43.635694981 CEST1464550095107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:43.689168930 CEST5009614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:43.695367098 CEST1464550096107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:43.695461035 CEST5009614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:43.698771000 CEST5009614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:43.703752041 CEST1464550096107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:45.114105940 CEST1464550096107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:45.114217043 CEST5009614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:45.114358902 CEST5009614645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:45.119131088 CEST1464550096107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:45.691436052 CEST5009714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:45.705116987 CEST1464550097107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:45.708580017 CEST5009714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:45.711416006 CEST5009714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:45.716371059 CEST1464550097107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:47.149183989 CEST1464550097107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:47.150758028 CEST5009714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:47.167881966 CEST5009714645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:47.172740936 CEST1464550097107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:47.245835066 CEST5009814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:47.250710011 CEST1464550098107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:47.250881910 CEST5009814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:47.261109114 CEST5009814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:47.266022921 CEST1464550098107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:48.680825949 CEST1464550098107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:48.680895090 CEST5009814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:48.680986881 CEST5009814645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:48.685802937 CEST1464550098107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:48.736026049 CEST5009914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:48.740988970 CEST1464550099107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:48.744421005 CEST5009914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:48.748070002 CEST5009914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:48.752969027 CEST1464550099107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:50.162609100 CEST1464550099107.175.130.20192.168.2.7
                              Oct 6, 2024 21:21:50.162682056 CEST5009914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:50.162806988 CEST5009914645192.168.2.7107.175.130.20
                              Oct 6, 2024 21:21:50.167613029 CEST1464550099107.175.130.20192.168.2.7

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Oct 6, 2024 21:17:42.844605923 CEST5024753192.168.2.71.1.1.1
                              Oct 6, 2024 21:17:42.961731911 CEST53502471.1.1.1192.168.2.7
                              Oct 6, 2024 21:18:43.148864985 CEST5428853192.168.2.71.1.1.1
                              Oct 6, 2024 21:18:43.282123089 CEST53542881.1.1.1192.168.2.7
                              Oct 6, 2024 21:19:43.876071930 CEST5209253192.168.2.71.1.1.1
                              Oct 6, 2024 21:19:44.007214069 CEST53520921.1.1.1192.168.2.7
                              Oct 6, 2024 21:20:44.313782930 CEST6528753192.168.2.71.1.1.1
                              Oct 6, 2024 21:20:44.430164099 CEST53652871.1.1.1192.168.2.7
                              Oct 6, 2024 21:21:45.173217058 CEST6062053192.168.2.71.1.1.1
                              Oct 6, 2024 21:21:45.690642118 CEST53606201.1.1.1192.168.2.7

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Oct 6, 2024 21:17:42.844605923 CEST192.168.2.71.1.1.10x8e17Standard query (0)michelsrmccontrol.duckdns.orgA (IP address)IN (0x0001)false
                              Oct 6, 2024 21:18:43.148864985 CEST192.168.2.71.1.1.10xdf3Standard query (0)michelsrmccontrol.duckdns.orgA (IP address)IN (0x0001)false
                              Oct 6, 2024 21:19:43.876071930 CEST192.168.2.71.1.1.10xd21dStandard query (0)michelsrmccontrol.duckdns.orgA (IP address)IN (0x0001)false
                              Oct 6, 2024 21:20:44.313782930 CEST192.168.2.71.1.1.10x7d5dStandard query (0)michelsrmccontrol.duckdns.orgA (IP address)IN (0x0001)false
                              Oct 6, 2024 21:21:45.173217058 CEST192.168.2.71.1.1.10xf349Standard query (0)michelsrmccontrol.duckdns.orgA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Oct 6, 2024 21:17:42.961731911 CEST1.1.1.1192.168.2.70x8e17No error (0)michelsrmccontrol.duckdns.org107.175.130.20A (IP address)IN (0x0001)false
                              Oct 6, 2024 21:18:43.282123089 CEST1.1.1.1192.168.2.70xdf3No error (0)michelsrmccontrol.duckdns.org107.175.130.20A (IP address)IN (0x0001)false
                              Oct 6, 2024 21:19:44.007214069 CEST1.1.1.1192.168.2.70xd21dNo error (0)michelsrmccontrol.duckdns.org107.175.130.20A (IP address)IN (0x0001)false
                              Oct 6, 2024 21:20:44.430164099 CEST1.1.1.1192.168.2.70x7d5dNo error (0)michelsrmccontrol.duckdns.org107.175.130.20A (IP address)IN (0x0001)false
                              Oct 6, 2024 21:21:45.690642118 CEST1.1.1.1192.168.2.70xf349No error (0)michelsrmccontrol.duckdns.org107.175.130.20A (IP address)IN (0x0001)false

                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              System Behavior

                              General

                              Target ID:1
                              Start time:15:17:41
                              Start date:06/10/2024
                              Path:C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe"
                              Imagebase:0x400000
                              File size:494'592 bytes
                              MD5 hash:1A3FEE38CED030E1751A309616C39202
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000001.00000000.1315853761.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000000.1315853761.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000000.1315853761.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000001.00000000.1315853761.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.3788914692.000000000076E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:false

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:3%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:25.7%
                                Total number of Nodes:1066
                                Total number of Limit Nodes:52
                                execution_graph 47194 4437fd 47195 443806 47194->47195 47200 44381f 47194->47200 47196 44380e 47195->47196 47201 443885 47195->47201 47198 443816 47198->47196 47212 443b52 22 API calls 2 library calls 47198->47212 47202 443891 47201->47202 47203 44388e 47201->47203 47213 44f45d GetEnvironmentStringsW 47202->47213 47203->47198 47206 44389e 47222 446802 20 API calls _free 47206->47222 47209 4438d3 47209->47198 47211 4438a9 47221 446802 20 API calls _free 47211->47221 47212->47200 47214 44f471 47213->47214 47215 443898 47213->47215 47223 4461b8 47214->47223 47215->47206 47220 4439aa 26 API calls 3 library calls 47215->47220 47218 44f485 ctype 47230 446802 20 API calls _free 47218->47230 47219 44f49f FreeEnvironmentStringsW 47219->47215 47220->47211 47221->47206 47222->47209 47224 4461f6 47223->47224 47225 4461c6 __Getctype 47223->47225 47232 44062d 20 API calls __dosmaperr 47224->47232 47225->47224 47226 4461e1 RtlAllocateHeap 47225->47226 47231 443001 7 API calls 2 library calls 47225->47231 47226->47225 47228 4461f4 47226->47228 47228->47218 47230->47219 47231->47225 47232->47228 47233 434918 47234 434924 ___scrt_is_nonwritable_in_current_image 47233->47234 47260 434627 47234->47260 47236 43492b 47238 434954 47236->47238 47558 434a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 47236->47558 47246 434993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 47238->47246 47559 4442d2 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 47238->47559 47240 43496d 47242 434973 ___scrt_is_nonwritable_in_current_image 47240->47242 47560 444276 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 47240->47560 47243 4349f3 47271 434ba5 47243->47271 47246->47243 47561 443487 36 API calls 6 library calls 47246->47561 47253 434a15 47254 434a1f 47253->47254 47563 4434bf 28 API calls _Atexit 47253->47563 47256 434a28 47254->47256 47564 443462 28 API calls _Atexit 47254->47564 47565 43479e 13 API calls 2 library calls 47256->47565 47259 434a30 47259->47242 47261 434630 47260->47261 47566 434cb6 IsProcessorFeaturePresent 47261->47566 47263 43463c 47567 438fb1 10 API calls 4 library calls 47263->47567 47265 434641 47266 434645 47265->47266 47568 44415f IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47265->47568 47266->47236 47268 43464e 47269 43465c 47268->47269 47569 438fda 8 API calls 3 library calls 47268->47569 47269->47236 47570 436f10 47271->47570 47274 4349f9 47275 444223 47274->47275 47572 44f0d9 47275->47572 47277 44422c 47278 434a02 47277->47278 47576 446895 36 API calls 47277->47576 47280 40ea00 47278->47280 47578 41cbe1 LoadLibraryA GetProcAddress 47280->47578 47282 40ea1c GetModuleFileNameW 47583 40f3fe 47282->47583 47284 40ea38 47598 4020f6 47284->47598 47287 4020f6 28 API calls 47288 40ea56 47287->47288 47604 41beac 47288->47604 47292 40ea68 47630 401e8d 47292->47630 47294 40ea71 47295 40ea84 47294->47295 47296 40eace 47294->47296 47898 40fbee 118 API calls 47295->47898 47636 401e65 47296->47636 47299 40eade 47303 401e65 22 API calls 47299->47303 47300 40ea96 47301 401e65 22 API calls 47300->47301 47302 40eaa2 47301->47302 47899 410f72 36 API calls __EH_prolog 47302->47899 47304 40eafd 47303->47304 47641 40531e 47304->47641 47307 40eab4 47900 40fb9f 78 API calls 47307->47900 47308 40eb0c 47646 406383 47308->47646 47312 40eabd 47901 40f3eb 71 API calls 47312->47901 47318 401fd8 11 API calls 47320 40ef36 47318->47320 47319 401fd8 11 API calls 47321 40eb36 47319->47321 47562 443396 GetModuleHandleW 47320->47562 47322 401e65 22 API calls 47321->47322 47323 40eb3f 47322->47323 47663 401fc0 47323->47663 47325 40eb4a 47326 401e65 22 API calls 47325->47326 47327 40eb63 47326->47327 47328 401e65 22 API calls 47327->47328 47329 40eb7e 47328->47329 47330 40ebe9 47329->47330 47902 406c59 47329->47902 47331 401e65 22 API calls 47330->47331 47336 40ebf6 47331->47336 47333 40ebab 47334 401fe2 28 API calls 47333->47334 47335 40ebb7 47334->47335 47338 401fd8 11 API calls 47335->47338 47337 40ec3d 47336->47337 47343 413584 3 API calls 47336->47343 47667 40d0a4 47337->47667 47340 40ebc0 47338->47340 47907 413584 RegOpenKeyExA 47340->47907 47341 40ec43 47342 40eac6 47341->47342 47670 41b354 47341->47670 47342->47318 47349 40ec21 47343->47349 47347 40f38a 47983 4139e4 30 API calls 47347->47983 47348 40ec5e 47350 40ecb1 47348->47350 47687 407751 47348->47687 47349->47337 47910 4139e4 30 API calls 47349->47910 47353 401e65 22 API calls 47350->47353 47356 40ecba 47353->47356 47355 40f3a0 47984 4124b0 65 API calls ___scrt_get_show_window_mode 47355->47984 47364 40ecc6 47356->47364 47365 40eccb 47356->47365 47358 40ec87 47362 401e65 22 API calls 47358->47362 47359 40ec7d 47911 407773 30 API calls 47359->47911 47374 40ec90 47362->47374 47363 40f3aa 47367 41bcef 28 API calls 47363->47367 47914 407790 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 47364->47914 47370 401e65 22 API calls 47365->47370 47366 40ec82 47912 40729b 98 API calls 47366->47912 47371 40f3ba 47367->47371 47372 40ecd4 47370->47372 47796 413a5e RegOpenKeyExW 47371->47796 47691 41bcef 47372->47691 47374->47350 47378 40ecac 47374->47378 47375 40ecdf 47695 401f13 47375->47695 47913 40729b 98 API calls 47378->47913 47382 401f09 11 API calls 47384 40f3d7 47382->47384 47386 401f09 11 API calls 47384->47386 47387 40f3e0 47386->47387 47799 40dd7d 47387->47799 47388 401e65 22 API calls 47390 40ecfc 47388->47390 47393 401e65 22 API calls 47390->47393 47395 40ed16 47393->47395 47394 40f3ea 47396 401e65 22 API calls 47395->47396 47397 40ed30 47396->47397 47398 401e65 22 API calls 47397->47398 47399 40ed49 47398->47399 47400 40edb6 47399->47400 47402 401e65 22 API calls 47399->47402 47401 40edc5 47400->47401 47408 40ef41 ___scrt_get_show_window_mode 47400->47408 47403 40edce 47401->47403 47431 40ee4a ___scrt_get_show_window_mode 47401->47431 47406 40ed5e _wcslen 47402->47406 47404 401e65 22 API calls 47403->47404 47405 40edd7 47404->47405 47407 401e65 22 API calls 47405->47407 47406->47400 47409 401e65 22 API calls 47406->47409 47410 40ede9 47407->47410 47975 413733 RegOpenKeyExA RegQueryValueExA RegCloseKey 47408->47975 47411 40ed79 47409->47411 47413 401e65 22 API calls 47410->47413 47414 401e65 22 API calls 47411->47414 47415 40edfb 47413->47415 47416 40ed8e 47414->47416 47418 401e65 22 API calls 47415->47418 47915 40da6f 47416->47915 47417 40ef8c 47419 401e65 22 API calls 47417->47419 47420 40ee24 47418->47420 47421 40efb1 47419->47421 47426 401e65 22 API calls 47420->47426 47717 402093 47421->47717 47424 401f13 28 API calls 47425 40edad 47424->47425 47428 401f09 11 API calls 47425->47428 47429 40ee35 47426->47429 47428->47400 47973 40ce34 46 API calls _wcslen 47429->47973 47430 40efc3 47723 4137aa RegCreateKeyA 47430->47723 47707 413982 47431->47707 47435 40eede ctype 47440 401e65 22 API calls 47435->47440 47436 40ee45 47436->47431 47438 401e65 22 API calls 47439 40efe5 47438->47439 47729 43bb2c 47439->47729 47441 40eef5 47440->47441 47441->47417 47445 40ef09 47441->47445 47444 40effc 47976 41ce2c 88 API calls ___scrt_get_show_window_mode 47444->47976 47447 401e65 22 API calls 47445->47447 47446 40f01f 47451 402093 28 API calls 47446->47451 47449 40ef12 47447->47449 47452 41bcef 28 API calls 47449->47452 47450 40f003 CreateThread 47450->47446 48537 41d4ee 10 API calls 47450->48537 47454 40f034 47451->47454 47453 40ef1e 47452->47453 47974 40f4af 107 API calls 47453->47974 47455 402093 28 API calls 47454->47455 47457 40f043 47455->47457 47733 41b580 47457->47733 47458 40ef23 47458->47417 47460 40ef2a 47458->47460 47460->47342 47462 401e65 22 API calls 47463 40f054 47462->47463 47464 401e65 22 API calls 47463->47464 47465 40f066 47464->47465 47466 401e65 22 API calls 47465->47466 47467 40f086 47466->47467 47468 43bb2c _strftime 40 API calls 47467->47468 47469 40f093 47468->47469 47470 401e65 22 API calls 47469->47470 47471 40f09e 47470->47471 47472 401e65 22 API calls 47471->47472 47473 40f0af 47472->47473 47474 401e65 22 API calls 47473->47474 47475 40f0c4 47474->47475 47476 401e65 22 API calls 47475->47476 47477 40f0d5 47476->47477 47478 40f0dc StrToIntA 47477->47478 47757 409e1f 47478->47757 47481 401e65 22 API calls 47482 40f0f7 47481->47482 47483 40f103 47482->47483 47484 40f13c 47482->47484 47977 43455e 22 API calls 3 library calls 47483->47977 47486 401e65 22 API calls 47484->47486 47488 40f14c 47486->47488 47487 40f10c 47489 401e65 22 API calls 47487->47489 47491 40f194 47488->47491 47492 40f158 47488->47492 47490 40f11f 47489->47490 47493 40f126 CreateThread 47490->47493 47495 401e65 22 API calls 47491->47495 47978 43455e 22 API calls 3 library calls 47492->47978 47493->47484 48535 41a045 110 API calls 2 library calls 47493->48535 47498 40f19d 47495->47498 47496 40f161 47497 401e65 22 API calls 47496->47497 47499 40f173 47497->47499 47500 40f207 47498->47500 47501 40f1a9 47498->47501 47504 40f17a CreateThread 47499->47504 47502 401e65 22 API calls 47500->47502 47503 401e65 22 API calls 47501->47503 47505 40f210 47502->47505 47506 40f1b9 47503->47506 47504->47491 48534 41a045 110 API calls 2 library calls 47504->48534 47507 40f255 47505->47507 47508 40f21c 47505->47508 47509 401e65 22 API calls 47506->47509 47782 41b69e GetComputerNameExW GetUserNameW 47507->47782 47511 401e65 22 API calls 47508->47511 47512 40f1ce 47509->47512 47514 40f225 47511->47514 47979 40da23 32 API calls 47512->47979 47519 401e65 22 API calls 47514->47519 47515 401f13 28 API calls 47516 40f269 47515->47516 47518 401f09 11 API calls 47516->47518 47521 40f272 47518->47521 47522 40f23a 47519->47522 47520 40f1e1 47523 401f13 28 API calls 47520->47523 47524 40f27b SetProcessDEPPolicy 47521->47524 47525 40f27e CreateThread 47521->47525 47532 43bb2c _strftime 40 API calls 47522->47532 47526 40f1ed 47523->47526 47524->47525 47527 40f293 CreateThread 47525->47527 47528 40f29f 47525->47528 48507 40f7e2 47525->48507 47529 401f09 11 API calls 47526->47529 47527->47528 48536 412132 139 API calls 47527->48536 47530 40f2b4 47528->47530 47531 40f2a8 CreateThread 47528->47531 47533 40f1f6 CreateThread 47529->47533 47536 40f307 47530->47536 47537 402093 28 API calls 47530->47537 47531->47530 48538 412716 38 API calls ___scrt_get_show_window_mode 47531->48538 47534 40f247 47532->47534 47533->47500 48539 401be9 50 API calls _strftime 47533->48539 47980 40c19d 7 API calls 47534->47980 47793 41353a RegOpenKeyExA 47536->47793 47538 40f2d7 47537->47538 47981 4052fd 28 API calls 47538->47981 47543 40f328 47545 41bcef 28 API calls 47543->47545 47547 40f338 47545->47547 47982 413656 31 API calls 47547->47982 47552 40f34e 47553 401f09 11 API calls 47552->47553 47556 40f359 47553->47556 47554 40f381 DeleteFileW 47555 40f388 47554->47555 47554->47556 47555->47363 47556->47363 47556->47554 47557 40f36f Sleep 47556->47557 47557->47556 47558->47236 47559->47240 47560->47246 47561->47243 47562->47253 47563->47254 47564->47256 47565->47259 47566->47263 47567->47265 47568->47268 47569->47266 47571 434bb8 GetStartupInfoW 47570->47571 47571->47274 47573 44f0eb 47572->47573 47574 44f0e2 47572->47574 47573->47277 47577 44efd8 49 API calls 4 library calls 47574->47577 47576->47277 47577->47573 47579 41cc20 LoadLibraryA GetProcAddress 47578->47579 47580 41cc10 GetModuleHandleA GetProcAddress 47578->47580 47581 41cc49 44 API calls 47579->47581 47582 41cc39 LoadLibraryA GetProcAddress 47579->47582 47580->47579 47581->47282 47582->47581 47985 41b539 FindResourceA 47583->47985 47587 40f428 ctype 47995 4020b7 47587->47995 47590 401fe2 28 API calls 47591 40f44e 47590->47591 47592 401fd8 11 API calls 47591->47592 47593 40f457 47592->47593 47594 43bda0 ___std_exception_copy 21 API calls 47593->47594 47595 40f468 ctype 47594->47595 48001 406e13 47595->48001 47597 40f49b 47597->47284 47599 40210c 47598->47599 47600 4023ce 11 API calls 47599->47600 47601 402126 47600->47601 47602 402569 28 API calls 47601->47602 47603 402134 47602->47603 47603->47287 48038 4020df 47604->48038 47606 41bf2f 47607 401fd8 11 API calls 47606->47607 47608 41bf61 47607->47608 47609 401fd8 11 API calls 47608->47609 47611 41bf69 47609->47611 47610 41bf31 48044 4041a2 28 API calls 47610->48044 47614 401fd8 11 API calls 47611->47614 47616 40ea5f 47614->47616 47615 41bf3d 47617 401fe2 28 API calls 47615->47617 47626 40fb52 47616->47626 47619 41bf46 47617->47619 47618 401fe2 28 API calls 47625 41bebf 47618->47625 47620 401fd8 11 API calls 47619->47620 47622 41bf4e 47620->47622 47621 401fd8 11 API calls 47621->47625 48045 41cec5 28 API calls 47622->48045 47625->47606 47625->47610 47625->47618 47625->47621 48042 4041a2 28 API calls 47625->48042 48043 41cec5 28 API calls 47625->48043 47627 40fb5e 47626->47627 47629 40fb65 47626->47629 48046 402163 11 API calls 47627->48046 47629->47292 47631 402163 47630->47631 47635 40219f 47631->47635 48047 402730 11 API calls 47631->48047 47633 402184 48048 402712 11 API calls std::_Deallocate 47633->48048 47635->47294 47637 401e6d 47636->47637 47638 401e75 47637->47638 48049 402158 22 API calls 47637->48049 47638->47299 47642 4020df 11 API calls 47641->47642 47643 40532a 47642->47643 48050 4032a0 47643->48050 47645 405346 47645->47308 48055 4051ef 47646->48055 47648 406391 48059 402055 47648->48059 47651 401fe2 47652 401ff1 47651->47652 47659 402039 47651->47659 47653 4023ce 11 API calls 47652->47653 47654 401ffa 47653->47654 47655 40203c 47654->47655 47657 402015 47654->47657 47656 40267a 11 API calls 47655->47656 47656->47659 48093 403098 28 API calls 47657->48093 47660 401fd8 47659->47660 47661 4023ce 11 API calls 47660->47661 47662 401fe1 47661->47662 47662->47319 47664 401fd2 47663->47664 47665 401fc9 47663->47665 47664->47325 48094 4025e0 28 API calls 47665->48094 48095 401fab 47667->48095 47669 40d0ae CreateMutexA GetLastError 47669->47341 48096 41c048 47670->48096 47675 401fe2 28 API calls 47676 41b390 47675->47676 47677 401fd8 11 API calls 47676->47677 47678 41b398 47677->47678 47679 4135e1 31 API calls 47678->47679 47681 41b3ee 47678->47681 47680 41b3c1 47679->47680 47682 41b3cc StrToIntA 47680->47682 47681->47348 47683 41b3e3 47682->47683 47684 41b3da 47682->47684 47686 401fd8 11 API calls 47683->47686 48105 41cffa 22 API calls 47684->48105 47686->47681 47688 407765 47687->47688 47689 413584 3 API calls 47688->47689 47690 40776c 47689->47690 47690->47358 47690->47359 47692 41bd03 47691->47692 48106 40b93f 47692->48106 47694 41bd0b 47694->47375 47696 401f22 47695->47696 47703 401f6a 47695->47703 47697 402252 11 API calls 47696->47697 47698 401f2b 47697->47698 47699 401f6d 47698->47699 47701 401f46 47698->47701 48139 402336 47699->48139 48138 40305c 28 API calls 47701->48138 47704 401f09 47703->47704 47705 402252 11 API calls 47704->47705 47706 401f12 47705->47706 47706->47388 47708 4139a0 47707->47708 47709 406e13 28 API calls 47708->47709 47710 4139b5 47709->47710 47711 4020f6 28 API calls 47710->47711 47712 4139c5 47711->47712 47713 4137aa 14 API calls 47712->47713 47714 4139cf 47713->47714 47715 401fd8 11 API calls 47714->47715 47716 4139dc 47715->47716 47716->47435 47718 40209b 47717->47718 47719 4023ce 11 API calls 47718->47719 47720 4020a6 47719->47720 48143 4024ed 47720->48143 47724 4137c3 47723->47724 47725 4137fa 47723->47725 47728 4137d5 RegSetValueExA RegCloseKey 47724->47728 47726 401fd8 11 API calls 47725->47726 47727 40efd9 47726->47727 47727->47438 47728->47725 47730 43bb45 _strftime 47729->47730 48147 43ae83 47730->48147 47732 40eff2 47732->47444 47732->47446 47734 41b631 47733->47734 47735 41b596 GetLocalTime 47733->47735 47736 401fd8 11 API calls 47734->47736 47737 40531e 28 API calls 47735->47737 47738 41b639 47736->47738 47739 41b5d8 47737->47739 47740 401fd8 11 API calls 47738->47740 47741 406383 28 API calls 47739->47741 47743 40f048 47740->47743 47742 41b5e4 47741->47742 48175 402f10 47742->48175 47743->47462 47746 406383 28 API calls 47747 41b5fc 47746->47747 48180 40723b 77 API calls 47747->48180 47749 41b60a 47750 401fd8 11 API calls 47749->47750 47751 41b616 47750->47751 47752 401fd8 11 API calls 47751->47752 47753 41b61f 47752->47753 47754 401fd8 11 API calls 47753->47754 47755 41b628 47754->47755 47756 401fd8 11 API calls 47755->47756 47756->47734 47758 409e3d _wcslen 47757->47758 47759 409e48 47758->47759 47760 409e5f 47758->47760 47761 40da6f 32 API calls 47759->47761 47762 40da6f 32 API calls 47760->47762 47763 409e50 47761->47763 47764 409e67 47762->47764 47765 401f13 28 API calls 47763->47765 47766 401f13 28 API calls 47764->47766 47768 409e5a 47765->47768 47767 409e75 47766->47767 47769 401f09 11 API calls 47767->47769 47771 401f09 11 API calls 47768->47771 47770 409e7d 47769->47770 48199 409196 28 API calls 47770->48199 47773 409eb4 47771->47773 48184 40a144 47773->48184 47774 409e8f 48200 403014 47774->48200 47779 401f13 28 API calls 47780 409ea4 47779->47780 47781 401f09 11 API calls 47780->47781 47781->47768 48236 40417e 47782->48236 47787 403014 28 API calls 47788 41b703 47787->47788 47789 401f09 11 API calls 47788->47789 47790 41b70c 47789->47790 47791 401f09 11 API calls 47790->47791 47792 40f25e 47791->47792 47792->47515 47794 41355b RegQueryValueExA RegCloseKey 47793->47794 47795 40f31f 47793->47795 47794->47795 47795->47387 47795->47543 47797 40f3cd 47796->47797 47798 413a7a RegDeleteValueW 47796->47798 47797->47382 47798->47797 47800 40dd96 47799->47800 47801 41353a 3 API calls 47800->47801 47802 40dd9d 47801->47802 47803 40ddbc 47802->47803 48331 401707 47802->48331 47807 414f65 47803->47807 47805 40ddaa 48334 4138b2 RegCreateKeyA 47805->48334 47808 4020df 11 API calls 47807->47808 47809 414f79 47808->47809 48348 41b944 47809->48348 47812 4020df 11 API calls 47813 414f8f 47812->47813 47814 401e65 22 API calls 47813->47814 47815 414f9d 47814->47815 47816 43bb2c _strftime 40 API calls 47815->47816 47817 414faa 47816->47817 47818 414fbc 47817->47818 47819 414faf Sleep 47817->47819 47820 402093 28 API calls 47818->47820 47819->47818 47821 414fcb 47820->47821 47822 401e65 22 API calls 47821->47822 47823 414fd4 47822->47823 47824 4020f6 28 API calls 47823->47824 47825 414fdf 47824->47825 47826 41beac 28 API calls 47825->47826 47827 414fe7 47826->47827 48352 40489e WSAStartup 47827->48352 47829 414ff1 47830 401e65 22 API calls 47829->47830 47831 414ffa 47830->47831 47832 401e65 22 API calls 47831->47832 47859 415079 47831->47859 47833 415013 47832->47833 47835 401e65 22 API calls 47833->47835 47834 4020f6 28 API calls 47834->47859 47836 415024 47835->47836 47838 401e65 22 API calls 47836->47838 47837 41beac 28 API calls 47837->47859 47839 415035 47838->47839 47840 401e65 22 API calls 47839->47840 47842 415046 47840->47842 47841 406c59 28 API calls 47841->47859 47845 401e65 22 API calls 47842->47845 47843 402f10 28 API calls 47843->47859 47844 401fe2 28 API calls 47844->47859 47846 415057 47845->47846 47848 401e65 22 API calls 47846->47848 47847 401fd8 11 API calls 47847->47859 47849 415069 47848->47849 48454 40473d 89 API calls 47849->48454 47851 40531e 28 API calls 47851->47859 47852 406383 28 API calls 47852->47859 47854 4151c7 WSAGetLastError 48455 41cb72 30 API calls 47854->48455 47859->47834 47859->47837 47859->47841 47859->47843 47859->47844 47859->47847 47859->47851 47859->47852 47859->47854 47861 41b580 80 API calls 47859->47861 47863 401e65 22 API calls 47859->47863 47864 401e8d 11 API calls 47859->47864 47865 43bb2c _strftime 40 API calls 47859->47865 47867 402093 28 API calls 47859->47867 47873 4135e1 31 API calls 47859->47873 47885 4153f6 47859->47885 48353 414f24 47859->48353 48358 40482d 47859->48358 48365 404f51 47859->48365 48380 4048c8 connect 47859->48380 48440 404e26 WaitForSingleObject 47859->48440 48456 4052fd 28 API calls 47859->48456 48457 41b871 GlobalMemoryStatusEx 47859->48457 48458 4145f8 51 API calls 47859->48458 48459 409097 28 API calls 47859->48459 48460 441ed1 20 API calls 47859->48460 48461 413733 RegOpenKeyExA RegQueryValueExA RegCloseKey 47859->48461 47861->47859 47863->47859 47864->47859 47866 415b0a Sleep 47865->47866 47866->47859 47867->47859 47873->47859 47874 40417e 28 API calls 47874->47885 47877 41bdaf 28 API calls 47877->47885 47878 41bc1f 28 API calls 47878->47885 47879 401e65 22 API calls 47880 415474 GetTickCount 47879->47880 48464 41bc1f 28 API calls 47880->48464 47885->47859 47885->47874 47885->47877 47885->47878 47885->47879 47887 402ea1 28 API calls 47885->47887 47888 402f10 28 API calls 47885->47888 47889 406383 28 API calls 47885->47889 47891 401fd8 11 API calls 47885->47891 47894 402093 28 API calls 47885->47894 47895 41b580 80 API calls 47885->47895 47896 415aac CreateThread 47885->47896 47897 401f09 11 API calls 47885->47897 48462 40ddc4 6 API calls 47885->48462 48463 41bcd3 28 API calls 47885->48463 48465 41bb77 GetLastInputInfo GetTickCount 47885->48465 48466 41bb27 30 API calls ___scrt_get_show_window_mode 47885->48466 48467 40f90c 29 API calls 47885->48467 48468 402f31 28 API calls 47885->48468 48469 404aa1 61 API calls ctype 47885->48469 48470 404c10 113 API calls ___std_exception_copy 47885->48470 48471 40b08c 85 API calls 47885->48471 47887->47885 47888->47885 47889->47885 47891->47885 47894->47885 47895->47885 47896->47885 48496 41ada8 106 API calls 47896->48496 47897->47885 47898->47300 47899->47307 47900->47312 47903 4020df 11 API calls 47902->47903 47904 406c65 47903->47904 47905 4032a0 28 API calls 47904->47905 47906 406c82 47905->47906 47906->47333 47908 40ebdf 47907->47908 47909 4135ae RegQueryValueExA RegCloseKey 47907->47909 47908->47330 47908->47347 47909->47908 47910->47337 47911->47366 47912->47358 47913->47350 47914->47365 48497 401f86 47915->48497 47918 40dae0 47922 41c048 2 API calls 47918->47922 47919 40daab 48501 41b645 29 API calls 47919->48501 47920 40dbd4 GetLongPathNameW 47924 40417e 28 API calls 47920->47924 47921 40daa1 47921->47920 47925 40dae5 47922->47925 47927 40dbe9 47924->47927 47928 40dae9 47925->47928 47929 40db3b 47925->47929 47926 40dab4 47930 401f13 28 API calls 47926->47930 47931 40417e 28 API calls 47927->47931 47933 40417e 28 API calls 47928->47933 47932 40417e 28 API calls 47929->47932 47934 40dabe 47930->47934 47935 40dbf8 47931->47935 47936 40db49 47932->47936 47937 40daf7 47933->47937 47938 401f09 11 API calls 47934->47938 48504 40de0c 28 API calls 47935->48504 47942 40417e 28 API calls 47936->47942 47943 40417e 28 API calls 47937->47943 47938->47921 47940 40dc0b 48505 402fa5 28 API calls 47940->48505 47945 40db5f 47942->47945 47946 40db0d 47943->47946 47944 40dc16 48506 402fa5 28 API calls 47944->48506 48503 402fa5 28 API calls 47945->48503 48502 402fa5 28 API calls 47946->48502 47950 40db18 47954 401f13 28 API calls 47950->47954 47951 40dc20 47955 401f09 11 API calls 47951->47955 47952 40db6a 47953 401f13 28 API calls 47952->47953 47956 40db75 47953->47956 47957 40db23 47954->47957 47958 40dc2a 47955->47958 47960 401f09 11 API calls 47956->47960 47961 401f09 11 API calls 47957->47961 47959 401f09 11 API calls 47958->47959 47962 40dc33 47959->47962 47963 40db7e 47960->47963 47964 40db2c 47961->47964 47965 401f09 11 API calls 47962->47965 47966 401f09 11 API calls 47963->47966 47967 401f09 11 API calls 47964->47967 47968 40dc3c 47965->47968 47966->47934 47967->47934 47969 401f09 11 API calls 47968->47969 47970 40dc45 47969->47970 47971 401f09 11 API calls 47970->47971 47972 40dc4e 47971->47972 47972->47424 47973->47436 47974->47458 47975->47417 47976->47450 47977->47487 47978->47496 47979->47520 47980->47507 47982->47552 47983->47355 47986 41b556 LoadResource LockResource SizeofResource 47985->47986 47987 40f419 47985->47987 47986->47987 47988 43bda0 47987->47988 47993 4461b8 __Getctype 47988->47993 47989 4461f6 48005 44062d 20 API calls __dosmaperr 47989->48005 47990 4461e1 RtlAllocateHeap 47992 4461f4 47990->47992 47990->47993 47992->47587 47993->47989 47993->47990 48004 443001 7 API calls 2 library calls 47993->48004 47996 4020bf 47995->47996 48006 4023ce 47996->48006 47998 4020ca 48010 40250a 47998->48010 48000 4020d9 48000->47590 48002 4020b7 28 API calls 48001->48002 48003 406e27 48002->48003 48003->47597 48004->47993 48005->47992 48007 4023d8 48006->48007 48008 402428 48006->48008 48007->48008 48017 4027a7 11 API calls std::_Deallocate 48007->48017 48008->47998 48011 40251a 48010->48011 48012 402520 48011->48012 48013 402535 48011->48013 48018 402569 48012->48018 48028 4028e8 28 API calls 48013->48028 48016 402533 48016->48000 48017->48008 48029 402888 48018->48029 48020 40257d 48021 402592 48020->48021 48022 4025a7 48020->48022 48034 402a34 22 API calls 48021->48034 48036 4028e8 28 API calls 48022->48036 48025 40259b 48035 4029da 22 API calls 48025->48035 48026 4025a5 48026->48016 48028->48016 48030 402890 48029->48030 48031 402898 48030->48031 48037 402ca3 22 API calls 48030->48037 48031->48020 48034->48025 48035->48026 48036->48026 48039 4020e7 48038->48039 48040 4023ce 11 API calls 48039->48040 48041 4020f2 48040->48041 48041->47625 48042->47625 48043->47625 48044->47615 48045->47606 48046->47629 48047->47633 48048->47635 48051 4032aa 48050->48051 48053 4032c9 48051->48053 48054 4028e8 28 API calls 48051->48054 48053->47645 48054->48053 48056 4051fb 48055->48056 48065 405274 48056->48065 48058 405208 48058->47648 48060 402061 48059->48060 48061 4023ce 11 API calls 48060->48061 48062 40207b 48061->48062 48089 40267a 48062->48089 48066 405282 48065->48066 48067 405288 48066->48067 48068 40529e 48066->48068 48076 4025f0 48067->48076 48070 4052f5 48068->48070 48071 4052b6 48068->48071 48086 4028a4 22 API calls 48070->48086 48075 40529c 48071->48075 48085 4028e8 28 API calls 48071->48085 48075->48058 48077 402888 22 API calls 48076->48077 48078 402602 48077->48078 48079 402672 48078->48079 48080 402629 48078->48080 48088 4028a4 22 API calls 48079->48088 48084 40263b 48080->48084 48087 4028e8 28 API calls 48080->48087 48084->48075 48085->48075 48087->48084 48090 40268b 48089->48090 48091 4023ce 11 API calls 48090->48091 48092 40208d 48091->48092 48092->47651 48093->47659 48094->47664 48097 41b362 48096->48097 48098 41c055 GetCurrentProcess IsWow64Process 48096->48098 48100 4135e1 RegOpenKeyExA 48097->48100 48098->48097 48099 41c06c 48098->48099 48099->48097 48101 41360f RegQueryValueExA RegCloseKey 48100->48101 48102 413639 48100->48102 48101->48102 48103 402093 28 API calls 48102->48103 48104 41364e 48103->48104 48104->47675 48105->47683 48107 40b947 48106->48107 48112 402252 48107->48112 48109 40b952 48116 40b967 48109->48116 48111 40b961 48111->47694 48113 4022ac 48112->48113 48114 40225c 48112->48114 48113->48109 48114->48113 48123 402779 11 API calls std::_Deallocate 48114->48123 48117 40b9a1 48116->48117 48118 40b973 48116->48118 48135 4028a4 22 API calls 48117->48135 48124 4027e6 48118->48124 48122 40b97d 48122->48111 48123->48113 48125 4027ef 48124->48125 48126 402851 48125->48126 48127 4027f9 48125->48127 48137 4028a4 22 API calls 48126->48137 48130 402802 48127->48130 48132 402815 48127->48132 48136 402aea 28 API calls __EH_prolog 48130->48136 48133 402813 48132->48133 48134 402252 11 API calls 48132->48134 48133->48122 48134->48133 48136->48133 48138->47703 48140 402347 48139->48140 48141 402252 11 API calls 48140->48141 48142 4023c7 48141->48142 48142->47703 48144 4024f9 48143->48144 48145 40250a 28 API calls 48144->48145 48146 4020b1 48145->48146 48146->47430 48163 43ba8a 48147->48163 48149 43aed0 48169 43a837 36 API calls 2 library calls 48149->48169 48151 43ae95 48151->48149 48152 43aeaa 48151->48152 48154 43aeaf _strftime 48151->48154 48168 44062d 20 API calls __dosmaperr 48152->48168 48154->47732 48156 43aedc 48158 43af0b 48156->48158 48170 43bacf 40 API calls __Tolower 48156->48170 48160 43af77 48158->48160 48171 43ba36 20 API calls 2 library calls 48158->48171 48172 43ba36 20 API calls 2 library calls 48160->48172 48161 43b03e _strftime 48161->48154 48173 44062d 20 API calls __dosmaperr 48161->48173 48164 43baa2 48163->48164 48165 43ba8f 48163->48165 48164->48151 48174 44062d 20 API calls __dosmaperr 48165->48174 48167 43ba94 _strftime 48167->48151 48168->48154 48169->48156 48170->48156 48171->48160 48172->48161 48173->48154 48174->48167 48181 401fb0 48175->48181 48177 402f1e 48178 402055 11 API calls 48177->48178 48179 402f2d 48178->48179 48179->47746 48180->47749 48182 4025f0 28 API calls 48181->48182 48183 401fbd 48182->48183 48183->48177 48185 40a162 48184->48185 48186 413584 3 API calls 48185->48186 48187 40a169 48186->48187 48188 40a197 48187->48188 48189 40a17d 48187->48189 48207 409097 28 API calls 48188->48207 48191 40a182 48189->48191 48192 409ed6 48189->48192 48205 409097 28 API calls 48191->48205 48192->47481 48193 40a1a5 48208 40a1b4 86 API calls 48193->48208 48196 40a190 48206 40a268 29 API calls 48196->48206 48198 40a195 48198->48192 48199->47774 48213 403222 48200->48213 48202 403022 48217 403262 48202->48217 48205->48196 48206->48198 48209 40a2ae 164 API calls 48206->48209 48207->48193 48208->48192 48210 40a2a2 86 API calls 48208->48210 48211 40a2c4 49 API calls 48208->48211 48212 40a2b8 129 API calls 48208->48212 48214 40322e 48213->48214 48223 403618 48214->48223 48216 40323b 48216->48202 48218 40326e 48217->48218 48219 402252 11 API calls 48218->48219 48220 403288 48219->48220 48221 402336 11 API calls 48220->48221 48222 403031 48221->48222 48222->47779 48224 403626 48223->48224 48225 403644 48224->48225 48226 40362c 48224->48226 48228 40365c 48225->48228 48229 40369e 48225->48229 48234 4036a6 28 API calls 48226->48234 48230 403642 48228->48230 48233 4027e6 28 API calls 48228->48233 48235 4028a4 22 API calls 48229->48235 48230->48216 48233->48230 48234->48230 48237 404186 48236->48237 48238 402252 11 API calls 48237->48238 48239 404191 48238->48239 48247 4041bc 48239->48247 48242 4042fc 48259 404353 48242->48259 48244 40430a 48245 403262 11 API calls 48244->48245 48246 404319 48245->48246 48246->47787 48248 4041c8 48247->48248 48251 4041d9 48248->48251 48250 40419c 48250->48242 48252 4041e9 48251->48252 48253 404206 48252->48253 48254 4041ef 48252->48254 48255 4027e6 28 API calls 48253->48255 48258 404267 28 API calls 48254->48258 48257 404204 48255->48257 48257->48250 48258->48257 48260 40435f 48259->48260 48263 404371 48260->48263 48262 40436d 48262->48244 48264 40437f 48263->48264 48265 404385 48264->48265 48266 40439e 48264->48266 48329 4034e6 28 API calls 48265->48329 48267 402888 22 API calls 48266->48267 48268 4043a6 48267->48268 48270 404419 48268->48270 48271 4043bf 48268->48271 48330 4028a4 22 API calls 48270->48330 48273 4027e6 28 API calls 48271->48273 48282 40439c 48271->48282 48273->48282 48282->48262 48329->48282 48337 43ab1a 48331->48337 48335 4138ca RegSetValueExA RegCloseKey 48334->48335 48336 4138f4 48334->48336 48335->48336 48336->47803 48340 43aa9b 48337->48340 48339 40170d 48339->47805 48341 43aaaa 48340->48341 48342 43aabe 48340->48342 48346 44062d 20 API calls __dosmaperr 48341->48346 48345 43aaaf __alldvrm _strftime 48342->48345 48347 4489d7 11 API calls 2 library calls 48342->48347 48345->48339 48346->48345 48347->48345 48351 41b98a ctype ___scrt_get_show_window_mode 48348->48351 48349 402093 28 API calls 48350 414f84 48349->48350 48350->47812 48351->48349 48352->47829 48354 414f33 48353->48354 48355 414f3d getaddrinfo WSASetLastError 48353->48355 48472 414dc1 29 API calls ___std_exception_copy 48354->48472 48355->47859 48357 414f38 48357->48355 48359 404846 socket 48358->48359 48360 404839 48358->48360 48362 404860 CreateEventW 48359->48362 48363 404842 48359->48363 48473 40489e WSAStartup 48360->48473 48362->47859 48363->47859 48364 40483e 48364->48359 48364->48363 48366 404f65 48365->48366 48367 404fea 48365->48367 48368 404f6e 48366->48368 48369 404fc0 CreateEventA CreateThread 48366->48369 48370 404f7d GetLocalTime 48366->48370 48367->47859 48368->48369 48369->48367 48476 405150 48369->48476 48474 41bc1f 28 API calls 48370->48474 48372 404f91 48475 4052fd 28 API calls 48372->48475 48381 404a1b 48380->48381 48382 4048ee 48380->48382 48383 404a21 WSAGetLastError 48381->48383 48384 40497e 48381->48384 48382->48384 48386 40531e 28 API calls 48382->48386 48404 404923 48382->48404 48383->48384 48385 404a31 48383->48385 48384->47859 48387 404a36 48385->48387 48392 404932 48385->48392 48389 40490f 48386->48389 48491 41cb72 30 API calls 48387->48491 48393 402093 28 API calls 48389->48393 48391 40492b 48391->48392 48395 404941 48391->48395 48396 402093 28 API calls 48392->48396 48398 40491e 48393->48398 48394 404a40 48492 4052fd 28 API calls 48394->48492 48406 404950 48395->48406 48407 404987 48395->48407 48397 404a80 48396->48397 48400 402093 28 API calls 48397->48400 48401 41b580 80 API calls 48398->48401 48403 404a8f 48400->48403 48401->48404 48408 41b580 80 API calls 48403->48408 48480 420cf1 27 API calls 48404->48480 48411 402093 28 API calls 48406->48411 48488 421ad1 54 API calls 48407->48488 48408->48384 48414 40495f 48411->48414 48413 40498f 48417 4049c4 48413->48417 48418 404994 48413->48418 48415 402093 28 API calls 48414->48415 48419 40496e 48415->48419 48490 420e97 28 API calls 48417->48490 48422 402093 28 API calls 48418->48422 48423 41b580 80 API calls 48419->48423 48425 4049a3 48422->48425 48426 404973 48423->48426 48424 4049cc 48427 4049f9 CreateEventW CreateEventW 48424->48427 48429 402093 28 API calls 48424->48429 48428 402093 28 API calls 48425->48428 48481 420d31 48426->48481 48427->48384 48430 4049b2 48428->48430 48432 4049e2 48429->48432 48433 41b580 80 API calls 48430->48433 48435 402093 28 API calls 48432->48435 48434 4049b7 48433->48434 48489 421143 52 API calls 48434->48489 48437 4049f1 48435->48437 48438 41b580 80 API calls 48437->48438 48439 4049f6 48438->48439 48439->48427 48441 404e40 SetEvent CloseHandle 48440->48441 48442 404e57 closesocket 48440->48442 48443 404ed8 48441->48443 48444 404e64 48442->48444 48443->47859 48445 404e73 48444->48445 48446 404e7a 48444->48446 48495 4050e4 84 API calls 48445->48495 48448 404e8c WaitForSingleObject 48446->48448 48449 404ece SetEvent CloseHandle 48446->48449 48450 420d31 3 API calls 48448->48450 48449->48443 48451 404e9b SetEvent WaitForSingleObject 48450->48451 48452 420d31 3 API calls 48451->48452 48453 404eb3 SetEvent CloseHandle CloseHandle 48452->48453 48453->48449 48454->47859 48455->47859 48457->47859 48458->47859 48459->47859 48460->47859 48461->47859 48462->47885 48463->47885 48464->47885 48465->47885 48466->47885 48467->47885 48468->47885 48469->47885 48470->47885 48471->47885 48472->48357 48473->48364 48474->48372 48479 40515c 102 API calls 48476->48479 48478 405159 48479->48478 48480->48391 48482 41e7a2 48481->48482 48483 420d39 48481->48483 48484 41e7b0 48482->48484 48493 41d8ec DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48482->48493 48483->48384 48494 41e4d2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48484->48494 48487 41e7b7 48488->48413 48489->48426 48490->48424 48491->48394 48493->48484 48494->48487 48495->48446 48498 401f8e 48497->48498 48499 402252 11 API calls 48498->48499 48500 401f99 48499->48500 48500->47918 48500->47919 48500->47921 48501->47926 48502->47950 48503->47952 48504->47940 48505->47944 48506->47951 48509 40f7fd 48507->48509 48508 413584 3 API calls 48508->48509 48509->48508 48510 40f82f 48509->48510 48511 40f8a1 48509->48511 48513 40f891 Sleep 48509->48513 48510->48513 48516 41bcef 28 API calls 48510->48516 48522 401f09 11 API calls 48510->48522 48526 402093 28 API calls 48510->48526 48529 4137aa 14 API calls 48510->48529 48540 40d0d1 112 API calls ___scrt_get_show_window_mode 48510->48540 48541 409097 28 API calls 48510->48541 48542 41384f 14 API calls 48510->48542 48543 409097 28 API calls 48511->48543 48513->48509 48516->48510 48517 40f8ac 48518 41bcef 28 API calls 48517->48518 48519 40f8b8 48518->48519 48544 41384f 14 API calls 48519->48544 48522->48510 48523 40f8cb 48524 401f09 11 API calls 48523->48524 48525 40f8d7 48524->48525 48527 402093 28 API calls 48525->48527 48526->48510 48528 40f8e8 48527->48528 48530 4137aa 14 API calls 48528->48530 48529->48510 48531 40f8fb 48530->48531 48545 41288b TerminateProcess WaitForSingleObject 48531->48545 48533 40f903 ExitProcess 48546 412829 62 API calls 48536->48546 48541->48510 48542->48510 48543->48517 48544->48523 48545->48533 48547 43bea8 48549 43beb4 _swprintf ___scrt_is_nonwritable_in_current_image 48547->48549 48548 43bec2 48563 44062d 20 API calls __dosmaperr 48548->48563 48549->48548 48551 43beec 48549->48551 48558 445909 EnterCriticalSection 48551->48558 48553 43bec7 ___scrt_is_nonwritable_in_current_image _strftime 48554 43bef7 48559 43bf98 48554->48559 48558->48554 48560 43bfa6 48559->48560 48562 43bf02 48560->48562 48565 4497ec 37 API calls 2 library calls 48560->48565 48564 43bf1f LeaveCriticalSection std::_Lockit::~_Lockit 48562->48564 48563->48553 48564->48553 48565->48560 48566 42f97e 48567 42f989 48566->48567 48568 42f99d 48567->48568 48570 432f7f 48567->48570 48571 432f8a 48570->48571 48572 432f8e 48570->48572 48571->48568 48574 440f5d 48572->48574 48575 446206 48574->48575 48576 446213 48575->48576 48577 44621e 48575->48577 48578 4461b8 ___crtLCMapStringA 21 API calls 48576->48578 48579 446226 48577->48579 48585 44622f __Getctype 48577->48585 48584 44621b 48578->48584 48587 446802 20 API calls _free 48579->48587 48580 446234 48588 44062d 20 API calls __dosmaperr 48580->48588 48581 446259 RtlReAllocateHeap 48581->48584 48581->48585 48584->48571 48585->48580 48585->48581 48589 443001 7 API calls 2 library calls 48585->48589 48587->48584 48588->48584 48589->48585 48590 426cdc 48595 426d59 send 48590->48595 48596 41e04e 48597 41e063 ctype ___scrt_get_show_window_mode 48596->48597 48609 41e266 48597->48609 48615 432f55 21 API calls ___std_exception_copy 48597->48615 48600 41e277 48601 41e21a 48600->48601 48611 432f55 21 API calls ___std_exception_copy 48600->48611 48603 41e213 ___scrt_get_show_window_mode 48603->48601 48616 432f55 21 API calls ___std_exception_copy 48603->48616 48605 41e2b0 ___scrt_get_show_window_mode 48605->48601 48612 4335db 48605->48612 48607 41e240 ___scrt_get_show_window_mode 48607->48601 48617 432f55 21 API calls ___std_exception_copy 48607->48617 48609->48601 48610 41dbf3 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_get_show_window_mode 48609->48610 48610->48600 48611->48605 48618 4334fa 48612->48618 48614 4335e3 48614->48601 48615->48603 48616->48607 48617->48609 48619 433513 48618->48619 48623 433509 48618->48623 48619->48623 48624 432f55 21 API calls ___std_exception_copy 48619->48624 48621 433534 48621->48623 48625 4338c8 CryptAcquireContextA 48621->48625 48623->48614 48624->48621 48626 4338e4 48625->48626 48627 4338e9 CryptGenRandom 48625->48627 48626->48623 48627->48626 48628 4338fe CryptReleaseContext 48627->48628 48628->48626 48629 426c6d 48635 426d42 recv 48629->48635

                                Executed Functions

                                Function 0041CBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD17
                                • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040EA1C), ref: 0041CD28
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD2B
                                • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040EA1C), ref: 0041CD38
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD3B
                                • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040EA1C), ref: 0041CD48
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD4B
                                • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040EA1C), ref: 0041CD5D
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD60
                                • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040EA1C), ref: 0041CD6D
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD70
                                • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040EA1C), ref: 0041CD81
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD84
                                • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040EA1C), ref: 0041CD95
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD98
                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,?,?,0040EA1C), ref: 0041CDAA
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CDAD
                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040EA1C), ref: 0041CDBA
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CDBD
                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040EA1C), ref: 0041CDCA
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CDCD
                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040EA1C), ref: 0041CDDA
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CDDD
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad$HandleModule
                                • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                • API String ID: 4236061018-3687161714
                                • Opcode ID: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                • Instruction ID: 87b5fa294a9840a4da0a94e675c49188b16ea4214af7843bc20054d8537ab592
                                • Opcode Fuzzy Hash: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                • Instruction Fuzzy Hash: 06419AA0E8035879DA107BB65D8DE3B3E5CD9857953614837B05C93550FBBCDC408EAE
                                Function 0040EA00 Relevance: 90.0, APIs: 15, Strings: 36, Instructions: 795COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 5 40ea00-40ea82 call 41cbe1 GetModuleFileNameW call 40f3fe call 4020f6 * 2 call 41beac call 40fb52 call 401e8d call 43fd50 22 40ea84-40eac9 call 40fbee call 401e65 call 401fab call 410f72 call 40fb9f call 40f3eb 5->22 23 40eace-40eb96 call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->23 49 40ef2d-40ef3e call 401fd8 22->49 69 40eb98-40ebe3 call 406c59 call 401fe2 call 401fd8 call 401fab call 413584 23->69 70 40ebe9-40ec04 call 401e65 call 40b9f8 23->70 69->70 100 40f38a-40f3a5 call 401fab call 4139e4 call 4124b0 69->100 79 40ec06-40ec25 call 401fab call 413584 70->79 80 40ec3e-40ec45 call 40d0a4 70->80 79->80 98 40ec27-40ec3d call 401fab call 4139e4 79->98 88 40ec47-40ec49 80->88 89 40ec4e-40ec55 80->89 92 40ef2c 88->92 93 40ec57 89->93 94 40ec59-40ec65 call 41b354 89->94 92->49 93->94 104 40ec67-40ec69 94->104 105 40ec6e-40ec72 94->105 98->80 126 40f3aa-40f3db call 41bcef call 401f04 call 413a5e call 401f09 * 2 100->126 104->105 108 40ecb1-40ecc4 call 401e65 call 401fab 105->108 109 40ec74 call 407751 105->109 127 40ecc6 call 407790 108->127 128 40eccb-40ed53 call 401e65 call 41bcef call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->128 118 40ec79-40ec7b 109->118 120 40ec87-40ec9a call 401e65 call 401fab 118->120 121 40ec7d-40ec82 call 407773 call 40729b 118->121 120->108 141 40ec9c-40eca2 120->141 121->120 156 40f3e0-40f3ea call 40dd7d call 414f65 126->156 127->128 177 40ed55-40ed6e call 401e65 call 401fab call 43bb56 128->177 178 40edbb-40edbf 128->178 141->108 144 40eca4-40ecaa 141->144 144->108 147 40ecac call 40729b 144->147 147->108 177->178 203 40ed70-40edb6 call 401e65 call 401fab call 401e65 call 401fab call 40da6f call 401f13 call 401f09 177->203 179 40ef41-40efa1 call 436f10 call 40247c call 401fab * 2 call 413733 call 409092 178->179 180 40edc5-40edcc 178->180 234 40efa6-40effa call 401e65 call 401fab call 402093 call 401fab call 4137aa call 401e65 call 401fab call 43bb2c 179->234 182 40ee4a-40ee54 call 409092 180->182 183 40edce-40ee48 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40ce34 180->183 193 40ee59-40ee7d call 40247c call 434829 182->193 183->193 211 40ee8c 193->211 212 40ee7f-40ee8a call 436f10 193->212 203->178 217 40ee8e-40eed9 call 401f04 call 43f859 call 40247c call 401fab call 40247c call 401fab call 413982 211->217 212->217 271 40eede-40ef03 call 434832 call 401e65 call 40b9f8 217->271 286 40f017-40f019 234->286 287 40effc 234->287 271->234 288 40ef09-40ef28 call 401e65 call 41bcef call 40f4af 271->288 290 40f01b-40f01d 286->290 291 40f01f 286->291 289 40effe-40f015 call 41ce2c CreateThread 287->289 288->234 306 40ef2a 288->306 294 40f025-40f101 call 402093 * 2 call 41b580 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409e1f call 401e65 call 401fab 289->294 290->289 291->294 344 40f103-40f13a call 43455e call 401e65 call 401fab CreateThread 294->344 345 40f13c 294->345 306->92 346 40f13e-40f156 call 401e65 call 401fab 344->346 345->346 356 40f194-40f1a7 call 401e65 call 401fab 346->356 357 40f158-40f18f call 43455e call 401e65 call 401fab CreateThread 346->357 367 40f207-40f21a call 401e65 call 401fab 356->367 368 40f1a9-40f202 call 401e65 call 401fab call 401e65 call 401fab call 40da23 call 401f13 call 401f09 CreateThread 356->368 357->356 379 40f255-40f279 call 41b69e call 401f13 call 401f09 367->379 380 40f21c-40f250 call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 40c19d 367->380 368->367 400 40f27b-40f27c SetProcessDEPPolicy 379->400 401 40f27e-40f291 CreateThread 379->401 380->379 400->401 404 40f293-40f29d CreateThread 401->404 405 40f29f-40f2a6 401->405 404->405 408 40f2b4-40f2bb 405->408 409 40f2a8-40f2b2 CreateThread 405->409 412 40f2c9 408->412 413 40f2bd-40f2c0 408->413 409->408 416 40f2ce-40f302 call 402093 call 4052fd call 402093 call 41b580 call 401fd8 412->416 417 40f2c2-40f2c7 413->417 418 40f307-40f31a call 401fab call 41353a 413->418 416->418 417->416 426 40f31f-40f322 418->426 426->156 427 40f328-40f368 call 41bcef call 401f04 call 413656 call 401f09 call 401f04 426->427 443 40f381-40f386 DeleteFileW 427->443 444 40f388 443->444 445 40f36a-40f36d 443->445 444->126 445->126 446 40f36f-40f37c Sleep call 401f04 445->446 446->443
                                APIs
                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                  • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                  • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                  • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe,00000104), ref: 0040EA29
                                  • Part of subcall function 00410F72: __EH_prolog.LIBCMT ref: 00410F77
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                • String ID: ,aF$,aF$8SG$8SG$Access Level: $Administrator$C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe$Exe$Exe$Inj$PSG$Remcos Agent initialized$Rmc-PXKO50$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                • API String ID: 2830904901-2089348281
                                • Opcode ID: 49431b8dd783423accf16740c7d71729371280868a66773ebf6fb8fdb646c024
                                • Instruction ID: f870588dacc207cf398a21a9077505b2b75b96970711a81e27f166ce8512e3fa
                                • Opcode Fuzzy Hash: 49431b8dd783423accf16740c7d71729371280868a66773ebf6fb8fdb646c024
                                • Instruction Fuzzy Hash: 9B32F960B043412BDA24B7729C57B7E26994F80748F50483FB9467B2E3EEBC8D45839E
                                Function 0040F7E2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 00413584: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                  • Part of subcall function 00413584: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004752F0), ref: 004135C2
                                  • Part of subcall function 00413584: RegCloseKey.KERNEL32(?), ref: 004135CD
                                • Sleep.KERNEL32(00000BB8), ref: 0040F896
                                • ExitProcess.KERNEL32 ref: 0040F905
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseExitOpenProcessQuerySleepValue
                                • String ID: 5.1.3 Pro$override$pth_unenc
                                • API String ID: 2281282204-1392497409
                                • Opcode ID: 63a879446c8ff419ef4e70c844bd481c765728b91b26e4cfc9b1ce748e39a5f9
                                • Instruction ID: d275b5d15c9ff05a0ec0da3c9587874d7690dc7fa5d0ec02d6e8a4ede61593ab
                                • Opcode Fuzzy Hash: 63a879446c8ff419ef4e70c844bd481c765728b91b26e4cfc9b1ce748e39a5f9
                                • Instruction Fuzzy Hash: 5921E171B0420127D6087676885B6AE399A9B80708F50453FF409672D7FF7C8E0483AF
                                Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1173 404f51-404f5f 1174 404f65-404f6c 1173->1174 1175 404fea 1173->1175 1177 404f74-404f7b 1174->1177 1178 404f6e-404f72 1174->1178 1176 404fec-404ff1 1175->1176 1179 404fc0-404fe8 CreateEventA CreateThread 1177->1179 1180 404f7d-404fbb GetLocalTime call 41bc1f call 4052fd call 402093 call 41b580 call 401fd8 1177->1180 1178->1179 1179->1176 1180->1179
                                APIs
                                • GetLocalTime.KERNEL32(?), ref: 00404F81
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FCD
                                • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                                Strings
                                • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Create$EventLocalThreadTime
                                • String ID: KeepAlive | Enabled | Timeout:
                                • API String ID: 2532271599-1507639952
                                • Opcode ID: e7cf8e4b77719752666b977cdaec8ebc3f6be030fe93d2bf9ddd18710d4519e8
                                • Instruction ID: 41fa32a9fb91b1633a7afb8999ae97baef60c60c8d6252053b050d354fdafbcf
                                • Opcode Fuzzy Hash: e7cf8e4b77719752666b977cdaec8ebc3f6be030fe93d2bf9ddd18710d4519e8
                                • Instruction Fuzzy Hash: 82110A71800385BAC720A7779C0DEAB7FACDBD2714F04046FF54162291D6B89445CBBA
                                Function 004338C8 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00433550,00000034,?,?,0078EBC0), ref: 004338DA
                                • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000), ref: 004338F0
                                • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000,0041E2E2), ref: 00433902
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Crypt$Context$AcquireRandomRelease
                                • String ID:
                                • API String ID: 1815803762-0
                                • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                • Instruction ID: d68cd6f5f98cbfa2ab0450769c499d20ea76a36e668e3df749659bd42d9a4b78
                                • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                • Instruction Fuzzy Hash: 40E09A31208310FBEB301F21AC08F573AA5EF89B66F200A3AF256E40E4D6A68801965C
                                Function 0041B69E Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                Download Yara Rule
                                APIs
                                • GetComputerNameExW.KERNEL32(00000001,?,0000002B,004750E4), ref: 0041B6BB
                                • GetUserNameW.ADVAPI32(?,0040F25E), ref: 0041B6D3
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Name$ComputerUser
                                • String ID:
                                • API String ID: 4229901323-0
                                • Opcode ID: 2a75debd1ac83804218ef8ff91a3dd31c7e5d47f43b5da7d436b4f8c80832694
                                • Instruction ID: 8360233331794fbd8bccde093e114755ab2a7c2896376219b9d5f45c8fb32f7b
                                • Opcode Fuzzy Hash: 2a75debd1ac83804218ef8ff91a3dd31c7e5d47f43b5da7d436b4f8c80832694
                                • Instruction Fuzzy Hash: 90014F7190011CABCB01EBD1DC45EEDB7BCAF44309F10016AB505B21A1EFB46E88CBA8
                                Function 00426D42 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: recv
                                • String ID:
                                • API String ID: 1507349165-0
                                • Opcode ID: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                • Instruction ID: c63eaffdb417a6470c671315a396a42075a312041b5b8b5670d44767818a4bbd
                                • Opcode Fuzzy Hash: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                • Instruction Fuzzy Hash: 26B09279108202FFCA150B60CC0886ABEA6ABC8382B00882DB586411B0C736C851AB26
                                Function 00414F65 Relevance: 51.6, APIs: 5, Strings: 24, Instructions: 809sleepnetworkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 448 414f65-414fad call 4020df call 41b944 call 4020df call 401e65 call 401fab call 43bb2c 461 414fbc-415008 call 402093 call 401e65 call 4020f6 call 41beac call 40489e call 401e65 call 40b9f8 448->461 462 414faf-414fb6 Sleep 448->462 477 41500a-415079 call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 461->477 478 41507c-415117 call 402093 call 401e65 call 4020f6 call 41beac call 401e65 * 2 call 406c59 call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 461->478 462->461 477->478 531 415127-41512e 478->531 532 415119-415125 478->532 533 415133-4151c5 call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414f24 531->533 532->533 560 415210-41521e call 40482d 533->560 561 4151c7-41520b WSAGetLastError call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 533->561 566 415220-415246 call 402093 * 2 call 41b580 560->566 567 41524b-415259 call 404f51 call 4048c8 560->567 583 415ade-415af0 call 404e26 call 4021fa 561->583 566->583 579 41525e-415260 567->579 582 415266-4153b9 call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 4 call 41b871 call 4145f8 call 409097 call 441ed1 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 413733 579->582 579->583 648 4153bb-4153c8 call 405aa6 582->648 649 4153cd-4153f4 call 401fab call 4135e1 582->649 597 415af2-415b12 call 401e65 call 401fab call 43bb2c Sleep 583->597 598 415b18-415b20 call 401e8d 583->598 597->598 598->478 648->649 655 4153f6-4153f8 649->655 656 4153fb-415a51 call 40417e call 40ddc4 call 41bcd3 call 41bdaf call 41bc1f call 401e65 GetTickCount call 41bc1f call 41bb77 call 41bc1f * 2 call 41bb27 call 41bdaf * 5 call 40f90c call 41bdaf call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 call 404aa1 call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 649->656 655->656 902 415a53-415a5a 656->902 903 415a65-415a6c 656->903 902->903 904 415a5c-415a5e 902->904 905 415a78-415aaa call 405a6b call 402093 * 2 call 41b580 903->905 906 415a6e-415a73 call 40b08c 903->906 904->903 917 415aac-415ab8 CreateThread 905->917 918 415abe-415ad9 call 401fd8 * 2 call 401f09 905->918 906->905 917->918 918->583
                                APIs
                                • Sleep.KERNEL32(00000000,00000029,004752F0,004750E4,00000000), ref: 00414FB6
                                • WSAGetLastError.WS2_32(00000000,00000001), ref: 004151C7
                                • Sleep.KERNEL32(00000000,00000002), ref: 00415B12
                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleep$ErrorLastLocalTime
                                • String ID: | $%I64u$,aF$5.1.3 Pro$8SG$C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$PSG$Rmc-PXKO50$TLS Off$TLS On $dMG$hlight$name$NG$NG$PG$PG$PG
                                • API String ID: 524882891-3103458479
                                • Opcode ID: f0b8b78a1a3aad4c4c2d74285778475f20749406caa35db0b86bf36eba2e60bd
                                • Instruction ID: 9dea7478a43989413a8a7de35667e348ffff56bc780dedce428272fd6db975fd
                                • Opcode Fuzzy Hash: f0b8b78a1a3aad4c4c2d74285778475f20749406caa35db0b86bf36eba2e60bd
                                • Instruction Fuzzy Hash: B8526C31A001155ACB18F732DD96AFEB3769F90348F5044BFE40A761E2EF781E858A9D
                                Function 004048C8 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 144networkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                • WSAGetLastError.WS2_32 ref: 00404A21
                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... | $x<z
                                • API String ID: 994465650-4118805868
                                • Opcode ID: 7adcd97a12df77eb00c978c8fa497ed471b838c2edee9eb12bf68db0be483499
                                • Instruction ID: 8b7d3ad86a52f8452b0ebae4faff6649d271d562dba2871a89d137605d3bb54b
                                • Opcode Fuzzy Hash: 7adcd97a12df77eb00c978c8fa497ed471b838c2edee9eb12bf68db0be483499
                                • Instruction Fuzzy Hash: CE41E8B57506017BC61877BB890B52E7A56AB81308B50017FEA0256AD3FA7D9C108BEF
                                Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                • closesocket.WS2_32(000000FF), ref: 00404E5A
                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBF
                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EC4
                                • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                                • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED6
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                • String ID:
                                • API String ID: 3658366068-0
                                • Opcode ID: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                • Instruction ID: 681aebbacbf541c1c6cd6dfca6fba55586e42b113d9ea1c0d4e3a90daa9851ad
                                • Opcode Fuzzy Hash: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                • Instruction Fuzzy Hash: DE21EA71154B04AFDB216B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB79B851DB58
                                Function 0040DA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1017 40da6f-40da94 call 401f86 1020 40da9a 1017->1020 1021 40dbbe-40dbe4 call 401f04 GetLongPathNameW call 40417e 1017->1021 1023 40dae0-40dae7 call 41c048 1020->1023 1024 40daa1-40daa6 1020->1024 1025 40db93-40db98 1020->1025 1026 40dad6-40dadb 1020->1026 1027 40dba9 1020->1027 1028 40db9a-40db9f call 43c11f 1020->1028 1029 40daab-40dab9 call 41b645 call 401f13 1020->1029 1030 40dacc-40dad1 1020->1030 1031 40db8c-40db91 1020->1031 1042 40dbe9-40dc56 call 40417e call 40de0c call 402fa5 * 2 call 401f09 * 5 1021->1042 1043 40dae9-40db39 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1023->1043 1044 40db3b-40db87 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1023->1044 1033 40dbae-40dbb3 call 43c11f 1024->1033 1025->1033 1026->1033 1027->1033 1039 40dba4-40dba7 1028->1039 1052 40dabe 1029->1052 1030->1033 1031->1033 1045 40dbb4-40dbb9 call 409092 1033->1045 1039->1027 1039->1045 1053 40dac2-40dac7 call 401f09 1043->1053 1044->1052 1045->1021 1052->1053 1053->1021
                                APIs
                                • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DBD5
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: LongNamePath
                                • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                • API String ID: 82841172-425784914
                                • Opcode ID: 27b408779815cc004e99ecfd0e182e1062e96e4c42aa95a1860903710c88a7ad
                                • Instruction ID: db29472287e64cad03ac4489520097095d7cef5d056ecb8d0020da3553efca3c
                                • Opcode Fuzzy Hash: 27b408779815cc004e99ecfd0e182e1062e96e4c42aa95a1860903710c88a7ad
                                • Instruction Fuzzy Hash: 0A4151715082019AC205F765DC96CAAB7B8AE90758F10053FB146B20E2FFBCAE4DC65B
                                Function 0041B354 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1099 41b354-41b3ab call 41c048 call 4135e1 call 401fe2 call 401fd8 call 406b1c 1110 41b3ad-41b3bc call 4135e1 1099->1110 1111 41b3ee-41b3f7 1099->1111 1116 41b3c1-41b3d8 call 401fab StrToIntA 1110->1116 1112 41b400 1111->1112 1113 41b3f9-41b3fe 1111->1113 1115 41b405-41b410 call 40537d 1112->1115 1113->1115 1121 41b3e6-41b3e9 call 401fd8 1116->1121 1122 41b3da-41b3e3 call 41cffa 1116->1122 1121->1111 1122->1121
                                APIs
                                  • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                  • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                  • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                  • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                  • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                • StrToIntA.SHLWAPI(00000000,0046CA08,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0041B3CD
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseCurrentOpenQueryValueWow64
                                • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                • API String ID: 782494840-2070987746
                                • Opcode ID: 8c19a994082f4321bdc384a8b48a1832129d6d8eaa349cc43c026258e8294c9e
                                • Instruction ID: f33cb4008a08c387480eb48f471200dcc92f04aa72c22424ac0a9b44a4c1d04d
                                • Opcode Fuzzy Hash: 8c19a994082f4321bdc384a8b48a1832129d6d8eaa349cc43c026258e8294c9e
                                • Instruction Fuzzy Hash: 8811C47064014926C704B7658C97EFE76198790344F94413BF806A61D3FB6C598683EE
                                Function 004137AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1190 4137aa-4137c1 RegCreateKeyA 1191 4137c3-4137f8 call 40247c call 401fab RegSetValueExA RegCloseKey 1190->1191 1192 4137fa 1190->1192 1194 4137fc-41380a call 401fd8 1191->1194 1192->1194
                                APIs
                                • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                • RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000,004752F0,?,?,0040F88E,004674C8,5.1.3 Pro), ref: 004137E1
                                • RegCloseKey.KERNEL32(?,?,?,0040F88E,004674C8,5.1.3 Pro), ref: 004137EC
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateValue
                                • String ID: pth_unenc
                                • API String ID: 1818849710-4028850238
                                • Opcode ID: 04dffd27395d5cb7a301fd27aaace46d1b2beb75a59ed872a5e7c8f8e25a915c
                                • Instruction ID: b09b06e14e5a963f4ed757ac8f346f2723baee7be417271cc0de3610a50c6458
                                • Opcode Fuzzy Hash: 04dffd27395d5cb7a301fd27aaace46d1b2beb75a59ed872a5e7c8f8e25a915c
                                • Instruction Fuzzy Hash: A4F06272500218FBDF00AFA1DC45DEA376CEF04751F108566FD1AA61A1DB359E14DB54
                                Function 0040482D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40networkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1200 40482d-404837 1201 404846-40485e socket 1200->1201 1202 404839-404840 call 40489e 1200->1202 1204 404860-40489d CreateEventW 1201->1204 1205 404842-404845 1201->1205 1202->1201 1202->1205
                                APIs
                                • socket.WS2_32(?,00000001,00000006), ref: 00404852
                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                                  • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateEventStartupsocket
                                • String ID: x<z
                                • API String ID: 1953588214-1719664935
                                • Opcode ID: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                                • Instruction ID: ed99eca956a2b7a9b5891d615cc725ddac26720bb1770143763ad27df005c20f
                                • Opcode Fuzzy Hash: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                                • Instruction Fuzzy Hash: 760171B1408B809ED7359F38A8456877FE0AB55304F048D6EF1DA97B91D3B5A881CB18
                                Function 00414F24 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21networkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1207 414f24-414f31 1208 414f33-414f38 call 414dc1 1207->1208 1209 414f3d-414f55 getaddrinfo WSASetLastError 1207->1209 1208->1209
                                APIs
                                • getaddrinfo.WS2_32(00000000,00000000,00000000,x<z,004750E4,00000000,004151C3,00000000,00000001), ref: 00414F46
                                • WSASetLastError.WS2_32(00000000), ref: 00414F4B
                                  • Part of subcall function 00414DC1: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                  • Part of subcall function 00414DC1: LoadLibraryA.KERNEL32(?), ref: 00414E52
                                  • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                  • Part of subcall function 00414DC1: FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                  • Part of subcall function 00414DC1: LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                  • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                  • Part of subcall function 00414DC1: FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                  • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                • String ID: x<z
                                • API String ID: 1170566393-1719664935
                                • Opcode ID: 63e6a57adcb3e9d376df8b1f7a36805de8af56205c6b0d3f673684859221182d
                                • Instruction ID: 64a5677b7ab27dcaa32d5743096e05a6e92bfc5102e3e8065abb212a99eff034
                                • Opcode Fuzzy Hash: 63e6a57adcb3e9d376df8b1f7a36805de8af56205c6b0d3f673684859221182d
                                • Instruction Fuzzy Hash: 23D017322005316BD320A769AC00AEBAA9EDFD6760B12003BBD08D2251DA949C8286E8
                                Function 0040D0A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1212 40d0a4-40d0d0 call 401fab CreateMutexA GetLastError
                                APIs
                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0040D0B3
                                • GetLastError.KERNEL32 ref: 0040D0BE
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateErrorLastMutex
                                • String ID: Rmc-PXKO50
                                • API String ID: 1925916568-3030371538
                                • Opcode ID: eabddf02165d7cb7ab60b975d5c9d75332e346c4e6257b5baf50d4a4f7034b19
                                • Instruction ID: 57749e379dff282fb0cfe370275dd79dddcb706c5168e3a31171962593876721
                                • Opcode Fuzzy Hash: eabddf02165d7cb7ab60b975d5c9d75332e346c4e6257b5baf50d4a4f7034b19
                                • Instruction Fuzzy Hash: 0DD012B0605700EBDB186770ED5975839559744702F40487AB50FD99F1CBBC88908519
                                Function 004135E1 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1215 4135e1-41360d RegOpenKeyExA 1216 413642 1215->1216 1217 41360f-413637 RegQueryValueExA RegCloseKey 1215->1217 1218 413644 1216->1218 1217->1218 1219 413639-413640 1217->1219 1220 413649-413655 call 402093 1218->1220 1219->1220
                                APIs
                                • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                • RegCloseKey.KERNEL32(?), ref: 0041362D
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenQueryValue
                                • String ID:
                                • API String ID: 3677997916-0
                                • Opcode ID: e5c88bf4778b1a12960ae4c3b265923e79f6a7b3b3cce25859afcc872f091df0
                                • Instruction ID: 0661f39b514c0023b6096d8878825bbc81d19e8e8981dfb5b132c5fecbfe39b6
                                • Opcode Fuzzy Hash: e5c88bf4778b1a12960ae4c3b265923e79f6a7b3b3cce25859afcc872f091df0
                                • Instruction Fuzzy Hash: 4A01D676900228FBCB209B91DC08DEF7F7DDB44B51F004066BB05A2240DA748E45DBA4
                                Function 0044F45D Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                Download Yara Rule
                                APIs
                                • GetEnvironmentStringsW.KERNEL32 ref: 0044F461
                                • _free.LIBCMT ref: 0044F49A
                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F4A1
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: EnvironmentStrings$Free_free
                                • String ID:
                                • API String ID: 2716640707-0
                                • Opcode ID: 0f2961337cf6473c9b59c8633065eebaee8da3dc7e8e50693e042ad6422b7f19
                                • Instruction ID: 0fde98e0ac238faa149cd6f420f555edc5ad685e5938876998fddc3cfa248eb7
                                • Opcode Fuzzy Hash: 0f2961337cf6473c9b59c8633065eebaee8da3dc7e8e50693e042ad6422b7f19
                                • Instruction Fuzzy Hash: 41E0E537545A226BB211323A6C49D6F2A58CFD27B6726003BF40486242EE288D0641BA
                                Function 00413584 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1223 413584-4135ac RegOpenKeyExA 1224 4135db 1223->1224 1225 4135ae-4135d9 RegQueryValueExA RegCloseKey 1223->1225 1226 4135dd-4135e0 1224->1226 1225->1226
                                APIs
                                • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004752F0), ref: 004135C2
                                • RegCloseKey.KERNEL32(?), ref: 004135CD
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenQueryValue
                                • String ID:
                                • API String ID: 3677997916-0
                                • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                • Instruction ID: 3ea041f737baa467864e73cd7e114674dd940ed34319bd14b5ec79364d8ab256
                                • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                • Instruction Fuzzy Hash: 39F01D76900218FFDF109FA09C45FEE7BBDEB04B11F1044A5BA04E6191D6359F549B94
                                Function 0041353A Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040C1D7,00466C58), ref: 00413551
                                • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040C1D7,00466C58), ref: 00413565
                                • RegCloseKey.KERNEL32(?,?,?,0040C1D7,00466C58), ref: 00413570
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenQueryValue
                                • String ID:
                                • API String ID: 3677997916-0
                                • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                • Instruction ID: 960a54a16a1ccd4152458ec6927d20d37e2092670a33f2d7c306b576a706ad25
                                • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                • Instruction Fuzzy Hash: 23E06532801238FBDF204FA29C0DDEB7F6CDF06BA1B000155BD0CA1111D2258E50E6E4
                                Function 004138B2 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                • RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                • RegCloseKey.KERNEL32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateValue
                                • String ID:
                                • API String ID: 1818849710-0
                                • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                • Instruction ID: 04d77b696783773a8a307df6842786532c8303179302b097fa31242bc3118ae5
                                • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                • Instruction Fuzzy Hash: 1EE06D72500318FBDF109FA0DC06FEA7BACEF04B62F104565BF09A6191D6358E14E7A8
                                Function 00409E1F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: _wcslen
                                • String ID: pQG
                                • API String ID: 176396367-3769108836
                                • Opcode ID: 2909f1be4624e20aefd95f70af1697863fb55ab0ff45cf84c0a49d4b96723009
                                • Instruction ID: e26466b944e621eef81fbe5db30e3e3b172770e45cde188e8c087a2518f8d89f
                                • Opcode Fuzzy Hash: 2909f1be4624e20aefd95f70af1697863fb55ab0ff45cf84c0a49d4b96723009
                                • Instruction Fuzzy Hash: 631181319002059BCB15EF66E852AEF7BB4AF54314B10413FF446A62E2EF78AD15CB98
                                Function 00446206 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 00446227
                                  • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?,0000000F,00000000,00432F93,00000000,0000000F,0042F99D,?,?,00431A44,?,?,00000000), ref: 00446263
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeap$_free
                                • String ID:
                                • API String ID: 1482568997-0
                                • Opcode ID: 1f917527c9cd9112a4c2ab4db5d8ca91a49e76957baa276bc02c381a5932faf2
                                • Instruction ID: 528349031ecf72c594af6ac828cc426c74ce8c7b4bfa82022820746e0f177899
                                • Opcode Fuzzy Hash: 1f917527c9cd9112a4c2ab4db5d8ca91a49e76957baa276bc02c381a5932faf2
                                • Instruction Fuzzy Hash: 4CF0283110121176BB213B266C01B6B3759AF83B70B1700ABFC1466281CFBCCC41406F
                                Function 004461B8 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeap
                                • String ID:
                                • API String ID: 1279760036-0
                                • Opcode ID: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                • Instruction ID: 139fbca062bb8bf671a891d82c3cf8fc988f9ce198a1a8b78c24da0334343556
                                • Opcode Fuzzy Hash: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                • Instruction Fuzzy Hash: CEE0E531A0021267F6312A269C01B5B76599B437A0F170137AD15922D2CE6CCD0181EF
                                Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                Download Yara Rule
                                APIs
                                • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Startup
                                • String ID:
                                • API String ID: 724789610-0
                                • Opcode ID: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                                • Instruction ID: 97c3e6bab4f4407137ad71e204409d8be70fba83985c90e8682379c152a4c00d
                                • Opcode Fuzzy Hash: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                                • Instruction Fuzzy Hash: 92D0123255C70C8EE620ABB4AD0F8A4775CC317616F0007BA6CB5836D3E6405B1DC2AB
                                Function 00426D59 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: send
                                • String ID:
                                • API String ID: 2809346765-0
                                • Opcode ID: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                • Instruction ID: 21703143275c54c82102de5c78eddca0fb0a16d203a0de67c7bd570fb3111ac2
                                • Opcode Fuzzy Hash: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                • Instruction Fuzzy Hash: 87B09B75108301FFD6150760CC0486A7D6597C8341F00491C718741170C635C8515725

                                Non-executed Functions

                                Function 00407CD2 Relevance: 46.3, APIs: 10, Strings: 16, Instructions: 835filesleepCOMMON
                                Download Yara Rule
                                APIs
                                • SetEvent.KERNEL32(?,?), ref: 00407CF4
                                • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407DC2
                                • DeleteFileW.KERNEL32(00000000), ref: 00407DE4
                                  • Part of subcall function 0041C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C37D
                                  • Part of subcall function 0041C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3AD
                                  • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C402
                                  • Part of subcall function 0041C322: FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C463
                                  • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C46A
                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                  • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                  • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004081D2
                                • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004082B3
                                • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084FF
                                • DeleteFileA.KERNEL32(?), ref: 0040868D
                                  • Part of subcall function 00408847: __EH_prolog.LIBCMT ref: 0040884C
                                  • Part of subcall function 00408847: FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                  • Part of subcall function 00408847: __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                  • Part of subcall function 00408847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                • Sleep.KERNEL32(000007D0), ref: 00408733
                                • StrToIntA.SHLWAPI(00000000,00000000), ref: 00408775
                                  • Part of subcall function 0041CA73: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                • String ID: (PG$(aF$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                • API String ID: 1067849700-414524693
                                • Opcode ID: ca3b15a81cf2ed5b26c61ef10c17aff720d2c02de49d1bab3c758e4da21d76d0
                                • Instruction ID: f533dcafa702064eae222fc9ff54aa9327b172b3479e3db69e1c842a3252ef64
                                • Opcode Fuzzy Hash: ca3b15a81cf2ed5b26c61ef10c17aff720d2c02de49d1bab3c758e4da21d76d0
                                • Instruction Fuzzy Hash: F04293716043016BC604FB76C9579AE77A9AF91348F80483FF542671E2EF7C9908879B
                                Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • __Init_thread_footer.LIBCMT ref: 004056E6
                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                • __Init_thread_footer.LIBCMT ref: 00405723
                                • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660CC,00000000), ref: 004057B6
                                • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                  • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660D0,00000062,004660B4), ref: 004059E4
                                • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 004059FE
                                • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                • CloseHandle.KERNEL32 ref: 00405A23
                                • CloseHandle.KERNEL32 ref: 00405A2B
                                • CloseHandle.KERNEL32 ref: 00405A3D
                                • CloseHandle.KERNEL32 ref: 00405A45
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                • API String ID: 2994406822-18413064
                                • Opcode ID: d8bde5677188d792a6883f7c5c196f0a154a11b7ba6fa4759e04c2d1e51d608d
                                • Instruction ID: feb7c3e087fbbfe745e3798ef664df189eb35a760580a6c3fca7c2e5343dee52
                                • Opcode Fuzzy Hash: d8bde5677188d792a6883f7c5c196f0a154a11b7ba6fa4759e04c2d1e51d608d
                                • Instruction Fuzzy Hash: 1A91C271604604AFD711FB36ED42A6B369AEB84308F01443FF589A62E2DB7D9C448F6D
                                Function 00412132 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcessId.KERNEL32 ref: 00412141
                                  • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                  • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                  • Part of subcall function 004138B2: RegCloseKey.KERNEL32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412181
                                • CloseHandle.KERNEL32(00000000), ref: 00412190
                                • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 004121E6
                                • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412455
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                • API String ID: 3018269243-13974260
                                • Opcode ID: 0bc6abb93a007a62e155aad46a945be6e257eeb2644a433d62495adb5594a49a
                                • Instruction ID: f1b014459f2de55ad39b9ce4e2eab06dd530905b6b6ad57ecd0cf2e75cce6712
                                • Opcode Fuzzy Hash: 0bc6abb93a007a62e155aad46a945be6e257eeb2644a433d62495adb5594a49a
                                • Instruction Fuzzy Hash: B971A23160430167C614FB72CD579AE77A4AE94308F40097FF586A21E2FFBC9A49C69E
                                Function 0040BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBEA
                                • FindClose.KERNEL32(00000000), ref: 0040BC04
                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040BD27
                                • FindClose.KERNEL32(00000000), ref: 0040BD4D
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$CloseFile$FirstNext
                                • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                • API String ID: 1164774033-3681987949
                                • Opcode ID: 6c639a8cbac5ca484f8773e9da93299d118512ec2cf8b834913427766c983489
                                • Instruction ID: 8b0b2ff803da1d4b435a108118727fe7c74031c8ac088da8990f7d135a86af9b
                                • Opcode Fuzzy Hash: 6c639a8cbac5ca484f8773e9da93299d118512ec2cf8b834913427766c983489
                                • Instruction Fuzzy Hash: C7514F3190021A9ADB14FBB2DC56AEEB739AF10304F50057FF506721E2FF785A49CA99
                                Function 004168FC Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 80clipboardmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • OpenClipboard.USER32 ref: 004168FD
                                • EmptyClipboard.USER32 ref: 0041690B
                                • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041692B
                                • GlobalLock.KERNEL32(00000000), ref: 00416934
                                • GlobalUnlock.KERNEL32(00000000), ref: 0041696A
                                • SetClipboardData.USER32(0000000D,00000000), ref: 00416973
                                • CloseClipboard.USER32 ref: 00416990
                                • OpenClipboard.USER32 ref: 00416997
                                • GetClipboardData.USER32(0000000D), ref: 004169A7
                                • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                • CloseClipboard.USER32 ref: 004169BF
                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                • String ID: !D@$xdF
                                • API String ID: 3520204547-3540039394
                                • Opcode ID: 5191756a023fad829b92f3fa5878b55421fcb75fc4cc2359890982a259b57d49
                                • Instruction ID: 548dc4d81477911aad8e8b192ef25fd2d65b79b2884d290c2f7190e4363fe536
                                • Opcode Fuzzy Hash: 5191756a023fad829b92f3fa5878b55421fcb75fc4cc2359890982a259b57d49
                                • Instruction Fuzzy Hash: 23215171204301EBD714BB71DC5DAAE7AA9AF88746F00043EF946961E2EF3C8C45866A
                                Function 0040F4AF Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 210processCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F4C9
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00475338), ref: 0040F4F4
                                • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F510
                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F58F
                                • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F59E
                                  • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                  • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F6A9
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$xdF$xdF
                                • API String ID: 3756808967-2341171916
                                • Opcode ID: c575ac8939463ca684cedb7c6906afd83d502d5e5bbe83c4c666d8f6a0325efa
                                • Instruction ID: 73d50abc618c2a3d6a57d9d5b79267519347fdb4c989691d2635b3abfd1995a7
                                • Opcode Fuzzy Hash: c575ac8939463ca684cedb7c6906afd83d502d5e5bbe83c4c666d8f6a0325efa
                                • Instruction Fuzzy Hash: B5712E705083419AC724FB21D8959AEB7E4AF90348F40483FF586631E3EF79994DCB9A
                                Function 0040BD72 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDEA
                                • FindClose.KERNEL32(00000000), ref: 0040BE04
                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040BEC4
                                • FindClose.KERNEL32(00000000), ref: 0040BEEA
                                • FindClose.KERNEL32(00000000), ref: 0040BF0B
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$Close$File$FirstNext
                                • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                • API String ID: 3527384056-432212279
                                • Opcode ID: ac2c58898ed4881048f14169fe64a4f28670cbea93e3b81032ca527b9b506f8a
                                • Instruction ID: 490896facf616f27299b965c2ba25c256be2621490ca3b25f990f1d956524bcc
                                • Opcode Fuzzy Hash: ac2c58898ed4881048f14169fe64a4f28670cbea93e3b81032ca527b9b506f8a
                                • Instruction Fuzzy Hash: E0417F3190021AAACB04F7B2DC5A9EE7769AF11704F50057FF506B21E2EF385A458A9D
                                Function 0041330D Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413452
                                • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413460
                                • GetFileSize.KERNEL32(?,00000000), ref: 0041346D
                                • UnmapViewOfFile.KERNEL32(00000000), ref: 0041348D
                                • CloseHandle.KERNEL32(00000000), ref: 0041349A
                                • CloseHandle.KERNEL32(?), ref: 004134A0
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                • String ID:
                                • API String ID: 297527592-0
                                • Opcode ID: dee858e1b85592c64c41f44ec352a3ce1eab039c71e8d674f4de8b08b9980a85
                                • Instruction ID: 84c8eec30da1abd4ec43dfc3561b6153623c17c5959ee0fa3a13cc5c00e14cc2
                                • Opcode Fuzzy Hash: dee858e1b85592c64c41f44ec352a3ce1eab039c71e8d674f4de8b08b9980a85
                                • Instruction Fuzzy Hash: F041F331104301BBD7119F25EC49F6B3BACEFC9769F10052EF655D21A2DB38DA40866E
                                Function 00419662 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 0$1$2$3$4$5$6$7$VG
                                • API String ID: 0-1861860590
                                • Opcode ID: fa5d28c5653a06ee74d606b0804547a39682ca64517b0fde9ecd30e9690a319d
                                • Instruction ID: 7133b754bba813e7b371628f59950815dc208a5c28e1558ec9b3f3725e93ffbd
                                • Opcode Fuzzy Hash: fa5d28c5653a06ee74d606b0804547a39682ca64517b0fde9ecd30e9690a319d
                                • Instruction Fuzzy Hash: 9171E2709183019FD704EF21D862BAB7B94DF85710F00492FF5A26B2D1DE78AB49CB96
                                Function 004167EF Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 97libraryloadershutdownCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                  • Part of subcall function 0041798D: OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                  • Part of subcall function 0041798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                  • Part of subcall function 0041798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                  • Part of subcall function 0041798D: GetLastError.KERNEL32 ref: 004179D8
                                • ExitWindowsEx.USER32(00000000,00000001), ref: 00416891
                                • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 004168A6
                                • GetProcAddress.KERNEL32(00000000), ref: 004168AD
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                • String ID: !D@$$aF$(aF$,aF$PowrProf.dll$SetSuspendState
                                • API String ID: 1589313981-3345310279
                                • Opcode ID: 5a67a4a310bbeab77cb956b6f29dad078fe7ead2311179410cf603bdc65d0c30
                                • Instruction ID: 272f3f60014ab8f8f2fa2781f50e1ac7d9ab3f628c5d0f86ef79d7992e461550
                                • Opcode Fuzzy Hash: 5a67a4a310bbeab77cb956b6f29dad078fe7ead2311179410cf603bdc65d0c30
                                • Instruction Fuzzy Hash: D821B17060430166CA14FBB28856ABF36599F41388F41087FB501671D2EF3DD845C76E
                                Function 00407538 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                Download Yara Rule
                                APIs
                                • _wcslen.LIBCMT ref: 0040755C
                                • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Object_wcslen
                                • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                • API String ID: 240030777-3166923314
                                • Opcode ID: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                • Instruction ID: 28daeeabb8f9d0779e909056d36d27ae9c6096be3406941992b1a3e854751cf1
                                • Opcode Fuzzy Hash: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                • Instruction Fuzzy Hash: 88113771D04214B6D710EA959845BDEB77C9B08714F15006FF904B2281EB7CAE448A6F
                                Function 0041A7D9 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A7EF
                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A83E
                                • GetLastError.KERNEL32 ref: 0041A84C
                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A884
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                • String ID:
                                • API String ID: 3587775597-0
                                • Opcode ID: e27a5b805aabdc83b270e3d89e94879a7947d6731083dd009164e38952afa952
                                • Instruction ID: 52116c85fb856a5ac6c14b0259405ec20ae2fa8d9cc538ef9907a440d1633313
                                • Opcode Fuzzy Hash: e27a5b805aabdc83b270e3d89e94879a7947d6731083dd009164e38952afa952
                                • Instruction Fuzzy Hash: 17817071104301ABC304EF61D885DAFB7A8FF94749F50082EF185521A2EF78EE49CB9A
                                Function 00419B86 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 245fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(00000000,?), ref: 00419DDC
                                • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419EA8
                                  • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Find$CreateFirstNext
                                • String ID: 8SG$8eF$PXG$PXG$NG$PG
                                • API String ID: 341183262-432830541
                                • Opcode ID: 54ba81e991093c6dccfdaf9162f41bafa2f6235a57d0cd9d07ce0c43f714be51
                                • Instruction ID: 0eaaaed992bec346a468a6d62c1d6888972f0568f5be94e2eef244f320132bd5
                                • Opcode Fuzzy Hash: 54ba81e991093c6dccfdaf9162f41bafa2f6235a57d0cd9d07ce0c43f714be51
                                • Instruction Fuzzy Hash: 998151315083415BC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                Function 00452690 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045279C
                                • IsValidCodePage.KERNEL32(00000000), ref: 004527F7
                                • IsValidLocale.KERNEL32(?,00000001), ref: 00452806
                                • GetLocaleInfoW.KERNEL32(?,00001001,JD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045284E
                                • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 0045286D
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                • String ID: JD$JD$JD
                                • API String ID: 745075371-3517165026
                                • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                • Instruction ID: 3c84011e7dbdf7a6f9673bc5a23f9f2f22d5020eb6794df094384b3d0215d6fb
                                • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                • Instruction Fuzzy Hash: 9B518571900205ABDB10DFA5CD45ABF77B8EF0A702F04046BED14E7292E7B89948CB69
                                Function 0040C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C3D6
                                • FindNextFileW.KERNEL32(00000000,?), ref: 0040C4A9
                                • FindClose.KERNEL32(00000000), ref: 0040C4B8
                                • FindClose.KERNEL32(00000000), ref: 0040C4E3
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$CloseFile$FirstNext
                                • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                • API String ID: 1164774033-405221262
                                • Opcode ID: 07425786a733f007aeb9a950477bd56cbd674cdc9204bf77bad9fc47ca870fce
                                • Instruction ID: 33618048715e6b2d4a7b39963b1e19558724686ef99070a322097c87c0ca4c0c
                                • Opcode Fuzzy Hash: 07425786a733f007aeb9a950477bd56cbd674cdc9204bf77bad9fc47ca870fce
                                • Instruction Fuzzy Hash: 59313E31500219AACB14E761DC9A9EE7778AF50719F10057FF106B21E2EF7C9946CA4D
                                Function 0041C322 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C37D
                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3AD
                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C41F
                                • DeleteFileW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C42C
                                  • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C402
                                • GetLastError.KERNEL32(?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C44D
                                • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C463
                                • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C46A
                                • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C473
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                • String ID:
                                • API String ID: 2341273852-0
                                • Opcode ID: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                • Instruction ID: 53b23dfad01ba0d5beec27b7c27070a1caf437d6ccbc5233b8522822963bc02e
                                • Opcode Fuzzy Hash: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                • Instruction Fuzzy Hash: 4A31807284431CAADB24E761DC89EEB736CAF09305F0405FBF559D2051EB3DDAC98A58
                                Function 0040A2F3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A30E
                                • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0040A31C
                                • GetLastError.KERNEL32 ref: 0040A328
                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A376
                                • TranslateMessage.USER32(?), ref: 0040A385
                                • DispatchMessageA.USER32(?), ref: 0040A390
                                Strings
                                • Keylogger initialization failure: error , xrefs: 0040A33C
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                • String ID: Keylogger initialization failure: error
                                • API String ID: 3219506041-952744263
                                • Opcode ID: a77984c91bbe3eb1ff3a05bb511e534cb27265d75ac9b65a7bf9d2bb6548dda1
                                • Instruction ID: 8743f2250fb8cae6a99ae5fb3d4b34fe2baf279f6720e4878f05ffc9670b3ffc
                                • Opcode Fuzzy Hash: a77984c91bbe3eb1ff3a05bb511e534cb27265d75ac9b65a7bf9d2bb6548dda1
                                • Instruction Fuzzy Hash: 6011BF31510301EBC710BB769D0986B77ACEA95715B20097EFC82E22D1EB34C910CBAA
                                Function 0040A41B Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                Download Yara Rule
                                APIs
                                • GetForegroundWindow.USER32 ref: 0040A451
                                • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                • GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                • GetKeyState.USER32(00000010), ref: 0040A46E
                                • GetKeyboardState.USER32(?), ref: 0040A479
                                • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A49C
                                • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A535
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                • String ID:
                                • API String ID: 1888522110-0
                                • Opcode ID: 1fbef96bbf5188aadc2f193688702ae07512c2e2bc484e71aa5862d9cec23228
                                • Instruction ID: fd17a64e9e4f7f825196359ceba3421c6f582a70c0a4c9d277f8a97da3dc7bda
                                • Opcode Fuzzy Hash: 1fbef96bbf5188aadc2f193688702ae07512c2e2bc484e71aa5862d9cec23228
                                • Instruction Fuzzy Hash: 1E316D72504308BFD700DF90DC45F9B7BECBB88744F00083AB645D61A0D7B5E9498BA6
                                Function 00414005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140D8
                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140E4
                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004142A5
                                • GetProcAddress.KERNEL32(00000000), ref: 004142AC
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressCloseCreateLibraryLoadProcsend
                                • String ID: SHDeleteKeyW$Shlwapi.dll
                                • API String ID: 2127411465-314212984
                                • Opcode ID: 906faeb5203d37c74ddcedaba27fd20c986479be3f450a41c0319093749beec0
                                • Instruction ID: 51cedef5a77654bf04fe1bae55708f30d4330cefe0c145b830acf249c6506b6e
                                • Opcode Fuzzy Hash: 906faeb5203d37c74ddcedaba27fd20c986479be3f450a41c0319093749beec0
                                • Instruction Fuzzy Hash: 16B1F671A0430066CA14FB76DC579AF36A85F91788F40053FB906771E2EE7D8A48C6DA
                                Function 00449210 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 00449292
                                • _free.LIBCMT ref: 004492B6
                                • _free.LIBCMT ref: 0044943D
                                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                • _free.LIBCMT ref: 00449609
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                • String ID:
                                • API String ID: 314583886-0
                                • Opcode ID: 8093d2f3b8c045a868d7bcc6f26560e4bd8a72bf10d174932f02c5f03ba06de8
                                • Instruction ID: 020e1479f4dc59d8c1013f8997fe2690be381d41ecad25fd3e4808fcef6bdafa
                                • Opcode Fuzzy Hash: 8093d2f3b8c045a868d7bcc6f26560e4bd8a72bf10d174932f02c5f03ba06de8
                                • Instruction Fuzzy Hash: E0C13A71900205ABFB24DF79CD41AAF7BA8EF46314F2405AFE884D7291E7788D42D758
                                Function 00406EEB Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 222filenetworkCOMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FF7
                                • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070DB
                                Strings
                                • 0aF, xrefs: 0040701B
                                • C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe, xrefs: 00407042, 0040716A
                                • open, xrefs: 00406FF1
                                • 0aF, xrefs: 0040712C
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: DownloadExecuteFileShell
                                • String ID: 0aF$0aF$C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe$open
                                • API String ID: 2825088817-1284229830
                                • Opcode ID: a3d80589f937fc00409f1c87b067b324c796cd20f872ee043c00395bc31b0696
                                • Instruction ID: 89f65c5a2840bfed21b3c91f130df949caec66636536da5e2ea9f2eef63816fc
                                • Opcode Fuzzy Hash: a3d80589f937fc00409f1c87b067b324c796cd20f872ee043c00395bc31b0696
                                • Instruction Fuzzy Hash: 5261B371A0830166CA14FB76C8569BE37A59F81758F40093FB9427B2D3EE3C9905C69B
                                Function 00408847 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186fileCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 0040884C
                                • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A50
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                • String ID: xdF
                                • API String ID: 1771804793-999140092
                                • Opcode ID: f4b51b2c778cc903a76b83995408fe472956efc0dc2707ff349452219b6188ab
                                • Instruction ID: 0d5560aa06bbfb8d15084ed76e809f646cede1ce68103026aeaac9ba950e1e68
                                • Opcode Fuzzy Hash: f4b51b2c778cc903a76b83995408fe472956efc0dc2707ff349452219b6188ab
                                • Instruction Fuzzy Hash: 9D517F72900209AACB04FB65DD569ED7778AF10308F50417FB906B71E2EF389B49CB89
                                Function 0040BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA89
                                • GetLastError.KERNEL32 ref: 0040BA93
                                Strings
                                • UserProfile, xrefs: 0040BA59
                                • [Chrome StoredLogins found, cleared!], xrefs: 0040BAB9
                                • [Chrome StoredLogins not found], xrefs: 0040BAAD
                                • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA54
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: DeleteErrorFileLast
                                • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                • API String ID: 2018770650-1062637481
                                • Opcode ID: 8d1b9c386d9f6ca777f4705084fddfe26be0f649cbc95c9792bf321ed182c299
                                • Instruction ID: 0532e36a1aab116e50a9f1d1704ee325f44086adb43c50cfffb7bf5285f9a594
                                • Opcode Fuzzy Hash: 8d1b9c386d9f6ca777f4705084fddfe26be0f649cbc95c9792bf321ed182c299
                                • Instruction Fuzzy Hash: 76018F61A402056ACB04B7B6DC5B9BE7724A921704B50057FF806722D2FE7D49098BDE
                                Function 0041798D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                • OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                • GetLastError.KERNEL32 ref: 004179D8
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                • String ID: SeShutdownPrivilege
                                • API String ID: 3534403312-3733053543
                                • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                                • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                                Function 004541D9 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: __floor_pentium4
                                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                • API String ID: 4168288129-2761157908
                                • Opcode ID: e29b251e1eee29052bf5b6da388e4b2e308b35626dbf2dd5d7aa75add96dd8b0
                                • Instruction ID: 22fd31c6184e07a9d3e8c26eafc68e38345e899adb4ac4f90a3aea4af7cb717d
                                • Opcode Fuzzy Hash: e29b251e1eee29052bf5b6da388e4b2e308b35626dbf2dd5d7aa75add96dd8b0
                                • Instruction Fuzzy Hash: BBC27E71D046288FDB25CE28DD407EAB3B5EB8530AF1541EBD80DE7241E778AE898F45
                                Function 0040928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00409293
                                  • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040932F
                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040938D
                                • FindNextFileW.KERNEL32(00000000,?), ref: 004093E5
                                • FindClose.KERNEL32(00000000), ref: 004093FC
                                  • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                  • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                  • Part of subcall function 00404E26: CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                • FindClose.KERNEL32(00000000), ref: 004095F4
                                  • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                  • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                • String ID:
                                • API String ID: 1824512719-0
                                • Opcode ID: 5217273ce41631ec4f36bb50ecbc328d28b03a03593037bf82bad60bde0a87b4
                                • Instruction ID: 89df7f8b75d3b77417eb58d09b4f39b7dfb13bde992cfd9524fc7595df83f5be
                                • Opcode Fuzzy Hash: 5217273ce41631ec4f36bb50ecbc328d28b03a03593037bf82bad60bde0a87b4
                                • Instruction Fuzzy Hash: 34B19D32900109AACB14EBA1DD92AEDB379AF44314F50417FF506B60E2EF785F49CB59
                                Function 0041AADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A731,00000000), ref: 0041AAE4
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A731,00000000), ref: 0041AAF9
                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB06
                                • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A731,00000000), ref: 0041AB11
                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB23
                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB26
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ManagerStart
                                • String ID:
                                • API String ID: 276877138-0
                                • Opcode ID: d2aae47141dcf0d9b89d10f0773cee60e0a3b0657566105474702d9dbd979937
                                • Instruction ID: 14dbf03deabb1432b93a26d2ddf90514dbbc411f15d31c7908333a88c2a5d316
                                • Opcode Fuzzy Hash: d2aae47141dcf0d9b89d10f0773cee60e0a3b0657566105474702d9dbd979937
                                • Instruction Fuzzy Hash: FEF0E971141225AFD2115B209C88DFF276CDF85B66B00082AF901921919B68CC45E579
                                Function 004524BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 00452555
                                • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 0045257E
                                • GetACP.KERNEL32(?,?,004527DB,?,00000000), ref: 00452593
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: InfoLocale
                                • String ID: ACP$OCP
                                • API String ID: 2299586839-711371036
                                • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                • Instruction ID: 097c3b5166b2d36aca1cb621bb06e922528e2ea4561953c90108b9915aa2a338
                                • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                • Instruction Fuzzy Hash: 7E21F932600108B6D734CF14CA10A9B73A6EB16B53B564467ED09D7312F7B6DD44C398
                                Function 00407877 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407892
                                • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040795A
                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileFind$FirstNextsend
                                • String ID: 8eF$XPG$XPG
                                • API String ID: 4113138495-4157548504
                                • Opcode ID: 20c8045531a9471aa8b02c6f4ac93d25acd726a71398db01e6c16fdcd5dcb5aa
                                • Instruction ID: fedc3c23448d2be437c2d68ef58725aa3c97e5c0e74d328490a6b39f64eed896
                                • Opcode Fuzzy Hash: 20c8045531a9471aa8b02c6f4ac93d25acd726a71398db01e6c16fdcd5dcb5aa
                                • Instruction Fuzzy Hash: 2D21A4315083015BC714FB61D895CEFB3ACAF90358F40493EF696620E1FF78AA098A5B
                                Function 0041CA73 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                  • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                  • Part of subcall function 004137AA: RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000,004752F0,?,?,0040F88E,004674C8,5.1.3 Pro), ref: 004137E1
                                  • Part of subcall function 004137AA: RegCloseKey.KERNEL32(?,?,?,0040F88E,004674C8,5.1.3 Pro), ref: 004137EC
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateInfoParametersSystemValue
                                • String ID: ,aF$Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                • API String ID: 4127273184-3126330168
                                • Opcode ID: 1b8314d2076e9d5c703d8fca3d96c61d813be21baf7682ae790ff92cd480d8bc
                                • Instruction ID: 8ac436d711b2fc3476497f69dc57c3b9a547a247a31514f467319d0910454585
                                • Opcode Fuzzy Hash: 1b8314d2076e9d5c703d8fca3d96c61d813be21baf7682ae790ff92cd480d8bc
                                • Instruction Fuzzy Hash: D7118472BC425022E81831396D9BFBE28068343F61F54456BF6022A6CAE4CF6A9143CF
                                Function 0041B539 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                Download Yara Rule
                                APIs
                                • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B54A
                                • LoadResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B55E
                                • LockResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B565
                                • SizeofResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B574
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Resource$FindLoadLockSizeof
                                • String ID: SETTINGS
                                • API String ID: 3473537107-594951305
                                • Opcode ID: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                • Instruction ID: d04f7a3eece584ab18b37ce022e38df3785cd6d6757b7dd0dc659012c7d5cbc3
                                • Opcode Fuzzy Hash: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                • Instruction Fuzzy Hash: 8EE01A76600B22EBEB211BB1AC4CD863E29F7C97637140075F90586231CB798840DA98
                                Function 004096A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 004096A5
                                • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040971D
                                • FindNextFileW.KERNEL32(00000000,?), ref: 00409746
                                • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040975D
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstH_prologNext
                                • String ID:
                                • API String ID: 1157919129-0
                                • Opcode ID: a4f9002d73e35e52d1f42a8e8860448eabd2e2251ec59754596a7abefe28d24e
                                • Instruction ID: 8e52766585a78a9bd0f7e398a9017c7fe376444e683812dd136b20495b515571
                                • Opcode Fuzzy Hash: a4f9002d73e35e52d1f42a8e8860448eabd2e2251ec59754596a7abefe28d24e
                                • Instruction Fuzzy Hash: 7F814C328001099BCB15EBA2DC969EDB378AF14318F10417FE506B71E2EF789E49CB58
                                Function 00451D58 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444AF4,?,?,?,?,?,?,00000004), ref: 00451E3A
                                • _wcschr.LIBVCRUNTIME ref: 00451ECA
                                • _wcschr.LIBVCRUNTIME ref: 00451ED8
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00444AF4,00000000,00444C14), ref: 00451F7B
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                • String ID:
                                • API String ID: 4212172061-0
                                • Opcode ID: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                • Instruction ID: 2c98265d6c7a89d72caae9d33925a6d6107158c78f730362dcab12f0c71d6669
                                • Opcode Fuzzy Hash: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                • Instruction Fuzzy Hash: 7F611976600606AAD714AB75CC42FBB73A8EF04306F14056FFD05DB292EB78E948C769
                                Function 0045201B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                • EnumSystemLocalesW.KERNEL32(00452143,00000001,00000000,?,JD,?,00452770,00000000,?,?,?), ref: 0045208D
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                • String ID: p'E$JD
                                • API String ID: 1084509184-908320845
                                • Opcode ID: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                • Instruction ID: b0e9e6415e7ea3a3ed95e939ef0edb9d062384d4a1a0bde9f31cc9ceae225fa6
                                • Opcode Fuzzy Hash: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                • Instruction Fuzzy Hash: 0211553A2007019FDB189F39C9916BBBB92FF8075AB14482EEE4687B41D7B5A946C740
                                Function 00452143 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452197
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004521E8
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorInfoLastLocale$_free$_abort
                                • String ID:
                                • API String ID: 2829624132-0
                                • Opcode ID: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                • Instruction ID: 283aa9570716a6929da4b93cb0bca45b8c77d553a5ebfd19e37a994bad1de6ac
                                • Opcode Fuzzy Hash: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                • Instruction Fuzzy Hash: F361A235500207ABDF289F24CE82B7A77A8EF05306F1441BBED05C6656E7BC9D89CB58
                                Function 0043BB71 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • IsDebuggerPresent.KERNEL32 ref: 0043BC69
                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC73
                                • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC80
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                • String ID:
                                • API String ID: 3906539128-0
                                • Opcode ID: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                • Instruction ID: 25e88f5a56b9fbea854716c485460a06fbe33a825339a9765be54c88dd7cea35
                                • Opcode Fuzzy Hash: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                • Instruction Fuzzy Hash: 0431D374901218ABCB21DF65D9887CDBBB8EF0C311F5051EAE81CA7251EB749F818F48
                                Function 00443355 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(?,?,0044332B,?), ref: 00443376
                                • TerminateProcess.KERNEL32(00000000,?,0044332B,?), ref: 0044337D
                                • ExitProcess.KERNEL32 ref: 0044338F
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CurrentExitTerminate
                                • String ID:
                                • API String ID: 1703294689-0
                                • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                • Instruction ID: 4b22f3a5ffe79ca7dfb81d814e561f82a31e4bef9a776fe0bb9daccb8e878f4b
                                • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                • Instruction Fuzzy Hash: 9FE0B635401608FBDF11AF55DE09A5D3BAAEB40B56F005469FC498A272CF79EE42CB88
                                Function 0040B749 Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                Download Yara Rule
                                APIs
                                • OpenClipboard.USER32(00000000), ref: 0040B74C
                                • GetClipboardData.USER32(0000000D), ref: 0040B758
                                • CloseClipboard.USER32 ref: 0040B760
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Clipboard$CloseDataOpen
                                • String ID:
                                • API String ID: 2058664381-0
                                • Opcode ID: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                • Instruction ID: 1c65eecdd0087a0ffd0b0a04a5b63b9ff0c479b34dfa65f2e767e94bdce73387
                                • Opcode Fuzzy Hash: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                • Instruction Fuzzy Hash: 45E0EC31745320EFC3206B609C49F9B6AA4DF85B52F05443AB905BB2E5DB78CC4086AD
                                Function 0041BBC6 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                Download Yara Rule
                                APIs
                                • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041605F,00000000), ref: 0041BBD1
                                • NtResumeProcess.NTDLL(00000000), ref: 0041BBDE
                                • CloseHandle.KERNEL32(00000000,?,?,0041605F,00000000), ref: 0041BBE7
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseHandleOpenResume
                                • String ID:
                                • API String ID: 3614150671-0
                                • Opcode ID: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                                • Instruction ID: 00af7d86c2812e48088786baf9e1e683bef33431c8858657b58e82835f0f92e7
                                • Opcode Fuzzy Hash: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                                • Instruction Fuzzy Hash: 7AD05E36204121E3C220176A7C0CD97AD68DBC5AA2705412AF804C22609A60CC0186E4
                                Function 0041BB9A Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                Download Yara Rule
                                APIs
                                • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041603A,00000000), ref: 0041BBA5
                                • NtSuspendProcess.NTDLL(00000000), ref: 0041BBB2
                                • CloseHandle.KERNEL32(00000000,?,?,0041603A,00000000), ref: 0041BBBB
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseHandleOpenSuspend
                                • String ID:
                                • API String ID: 1999457699-0
                                • Opcode ID: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                • Instruction ID: 611eda4fe747f1c58df557fb912083c2b4b70512fbfbfb6239720577e9304ccf
                                • Opcode Fuzzy Hash: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                • Instruction Fuzzy Hash: 98D05E36204121E3C7211B6A7C0CD97AD68DFC5AA2705412AF804D26549A20CC0186E4
                                Function 0044E8F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: .
                                • API String ID: 0-248832578
                                • Opcode ID: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                • Instruction ID: 7baa6cf80f4bdea99dbc4d330b45aada8194c6230f36d830dc1b60d3871032d3
                                • Opcode Fuzzy Hash: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                • Instruction Fuzzy Hash: DF3107B1900259AFEB24DE7ACC84EFB7BBDEB46318F0401AEF41897291E6349D418B54
                                Function 004520B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                • EnumSystemLocalesW.KERNEL32(00452393,00000001,?,?,JD,?,00452734,JD,?,?,?,?,?,00444AED,?,?), ref: 00452102
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                • String ID: JD
                                • API String ID: 1084509184-2669065882
                                • Opcode ID: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                • Instruction ID: 883a99871793c155097d9da94a803295819168bd30f8f35cc04eca091e96b9f4
                                • Opcode Fuzzy Hash: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                • Instruction Fuzzy Hash: E8F0FF363007056FDB245F399881A6B7B96FB82769B04482EFE458B682DAB99C42D604
                                Function 0044896D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004489C0
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: InfoLocale
                                • String ID: GetLocaleInfoEx
                                • API String ID: 2299586839-2904428671
                                • Opcode ID: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                • Instruction ID: 58f0578312c774904006f9ed4749830948a62bec6dc8fde4d932476f73229d15
                                • Opcode Fuzzy Hash: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                • Instruction Fuzzy Hash: C0F0F631640608FBDB016F61DC06F6E7B25EB04751F00056EFC0966251DE368D2096DE
                                Function 00446270 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                • Instruction ID: f88ef0336175cd1615890b4a552d96ffb4623b3c947145a2eaf1ae153763923c
                                • Opcode Fuzzy Hash: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                • Instruction Fuzzy Hash: AA025D71E002199BEF14CFA9D8806AEFBF1FF49314F26816AD819E7384D734AD418B85
                                Function 004120B2 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                                • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 00412129
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$FreeProcess
                                • String ID:
                                • API String ID: 3859560861-0
                                • Opcode ID: 5801a203d1619bed6c8a9db4d4e6f7c09651a2c1722533c7d7743465b50f68e9
                                • Instruction ID: dd486cb6b879bf1be37f4e59d5b3b18419fca2aff5c7e471244091183f2ba527
                                • Opcode Fuzzy Hash: 5801a203d1619bed6c8a9db4d4e6f7c09651a2c1722533c7d7743465b50f68e9
                                • Instruction Fuzzy Hash: 0D113632000B11AFC7309F54DE85957BBEAFF08715305892EF29682922CB75FCA0CB48
                                Function 004533AB Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004533A6,?,?,00000008,?,?,0045625D,00000000), ref: 004535D8
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExceptionRaise
                                • String ID:
                                • API String ID: 3997070919-0
                                • Opcode ID: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                • Instruction ID: 7263c04077df6a1dd25da4ac29b5b982fa38ace811980f45f75c7c5cedc24273
                                • Opcode Fuzzy Hash: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                • Instruction Fuzzy Hash: 0FB13B315106089FD715CF28C48AB657BE0FF053A6F25865DE899CF3A2C339EA96CB44
                                Function 004339D7 Relevance: 1.8, Strings: 1, Instructions: 501COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 0
                                • API String ID: 0-4108050209
                                • Opcode ID: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                • Instruction ID: b5ae8e6f7fa87a7dee9e60626e0a37a25df5f2dd99b83f8da903d7583ecded6c
                                • Opcode Fuzzy Hash: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                • Instruction Fuzzy Hash: 0C129E727083048BD304DF65D882A1EB7E2BFCC758F15892EF495AB381DA74E915CB86
                                Function 00434CB6 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                Download Yara Rule
                                APIs
                                • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434CCF
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: FeaturePresentProcessor
                                • String ID:
                                • API String ID: 2325560087-0
                                • Opcode ID: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                • Instruction ID: 5e37b39ef68b784d6588b9ddffa6793edf4c3ade0924e8be62ba08be237937aa
                                • Opcode Fuzzy Hash: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                • Instruction Fuzzy Hash: E4515B71D002488FEB24CF69D98579EBBF4FB88314F24956BD419EB264D378A940CF98
                                Function 00452393 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004523E7
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$_free$InfoLocale_abort
                                • String ID:
                                • API String ID: 1663032902-0
                                • Opcode ID: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                • Instruction ID: 2d4dd0c1c30cd12b50dfb53a4a1f7f5f9091958bb121381f53cce851c87d7921
                                • Opcode Fuzzy Hash: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                • Instruction Fuzzy Hash: F921D632600606ABDB249F25DD41FBB73A8EB06316F10407FED01D6152EBBC9D48CB59
                                Function 004525C3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452361,00000000,00000000,?), ref: 004525EF
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$InfoLocale_abort_free
                                • String ID:
                                • API String ID: 2692324296-0
                                • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                • Instruction ID: 8c29d710edde3bbc403447a64c1727e90569dbd09ff88c71ffccea9529c81983
                                • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                • Instruction Fuzzy Hash: C4F04936A00116BBDB245A24D905BBF7B58EB01315F04446BEC05A3241FAF8FD058694
                                Function 00448484 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(-0006D41D,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                • EnumSystemLocalesW.KERNEL32(0044843E,00000001,0046EAE0,0000000C), ref: 004484BC
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: CriticalEnterEnumLocalesSectionSystem
                                • String ID:
                                • API String ID: 1272433827-0
                                • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                • Instruction ID: 901ea181f65c0ebd25502bb0be635eecd519ab6688482fb1bf3a60b9f01fb263
                                • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                • Instruction Fuzzy Hash: 37F04F76A50200EFEB00EF69D946B4D37E0FB04725F10446EF514DB2A2DB7899809B49
                                Function 00451FD0 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                • EnumSystemLocalesW.KERNEL32(00451F27,00000001,?,?,?,00452792,JD,?,?,?,?,?,00444AED,?,?,?), ref: 00452007
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                • String ID:
                                • API String ID: 1084509184-0
                                • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                • Instruction ID: 16a122e2f6617649f53ffd93528404cf76eb0d70ff9257d35f530b0535ef024d
                                • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                • Instruction Fuzzy Hash: 84F0203630020597CB04AF75D845B6A7F90EB82729B06009AFE058B6A2C7799842C754
                                Function 0040F90C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                Download Yara Rule
                                APIs
                                • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00415537,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.3 Pro), ref: 0040F920
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: InfoLocale
                                • String ID:
                                • API String ID: 2299586839-0
                                • Opcode ID: 2888965568e38a2ba7a5abe7093904758464576a93ba76aee1c710f175ee0f35
                                • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                • Opcode Fuzzy Hash: 2888965568e38a2ba7a5abe7093904758464576a93ba76aee1c710f175ee0f35
                                • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                Function 00434BD8 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                Download Yara Rule
                                APIs
                                • SetUnhandledExceptionFilter.KERNEL32(Function_00034BE4,0043490B), ref: 00434BDD
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExceptionFilterUnhandled
                                • String ID:
                                • API String ID: 3192549508-0
                                • Opcode ID: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                • Instruction ID: 702e07acd891e046c8aea5fc6397425f5e3bd38ef0af78e1c7fed93ac6412050
                                • Opcode Fuzzy Hash: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                • Instruction Fuzzy Hash:
                                Function 00427AD7 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: @
                                • API String ID: 0-2766056989
                                • Opcode ID: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                • Instruction ID: bbd91956ea41f9089fdf4ea26de33e0e8d132f349ea16d9e77f48d305cf446da
                                • Opcode Fuzzy Hash: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                • Instruction Fuzzy Hash: F1412975A183558FC340CF29D58020AFBE1FFC8318F645A1EF889A3350D379E9428B86
                                Function 0044DA49 Relevance: .6, Instructions: 637COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c092c4f6b84b18e3b6cbbf7fe4413e1147b07dd6558fe569cc2693f6d3c9d2d8
                                • Instruction ID: 4200599dcb49c21c1ca78238ad82984ca11e49a574bdd01b256a4bdf4e559873
                                • Opcode Fuzzy Hash: c092c4f6b84b18e3b6cbbf7fe4413e1147b07dd6558fe569cc2693f6d3c9d2d8
                                • Instruction Fuzzy Hash: D2322521D69F414DE7239A35CC22336A24CBFB73C5F15D737E81AB5AAAEB29C4834105
                                Function 0041F18B Relevance: .6, Instructions: 598COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 11fe0a22ef666ee2c1bed35089f8503541a39c5702d52e9a7652229b453a748b
                                • Instruction ID: 06c66d0f35fb266b7f69fbfce4f1f639eb17408d85dd7e5468211ecdc8378744
                                • Opcode Fuzzy Hash: 11fe0a22ef666ee2c1bed35089f8503541a39c5702d52e9a7652229b453a748b
                                • Instruction Fuzzy Hash: 7932C2716087459BC715DF28C4807ABB7E5BF84318F040A3EF89587392D779D98ACB8A
                                Function 0042742E Relevance: .4, Instructions: 435COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 069969c8f4566116342464d842351c7afe0a72e1e3c3dbe851ab1ff53bf1dd64
                                • Instruction ID: b033fe34555866f616fd3cc64b543b740d9cc82fbf2d17309ab2a27531c6336b
                                • Opcode Fuzzy Hash: 069969c8f4566116342464d842351c7afe0a72e1e3c3dbe851ab1ff53bf1dd64
                                • Instruction Fuzzy Hash: 6C02CEB17046528BC358CF2EEC5053AB7E1AB8D311744863EE495C7781EB35FA22CB94
                                Function 00426E9F Relevance: .4, Instructions: 383COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 82c6eebf497a8783bea5e127f8a47c76021f3e74a05456d4a9fdc662aa60ff2a
                                • Instruction ID: 06b531cc06dcd57701b547059d2c567c45bbe225ee7d26ac7aed84b394be02a5
                                • Opcode Fuzzy Hash: 82c6eebf497a8783bea5e127f8a47c76021f3e74a05456d4a9fdc662aa60ff2a
                                • Instruction Fuzzy Hash: 2DF19D716142558FC348CF1DE8A187BB3E1FB89311B450A2EF582C3391DB79EA16CB56
                                Function 00437DB3 Relevance: .3, Instructions: 345COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                • Instruction ID: 2ce137016e68017aebaac4bbf916a57dff7c64f07ba89619fc9d118b501662d8
                                • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                • Instruction Fuzzy Hash: F9C1D5B22091930AEF3D4639853063FFAA05E957B171A635FE4F2CB2D4FE18C924D514
                                Function 004381E8 Relevance: .3, Instructions: 341COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                • Instruction ID: bc2d6065b6eca92eb436045fb502f22698d18e4b36ed1375ff5d5b4a3f5914d0
                                • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                • Instruction Fuzzy Hash: 75C1D7722091930AEF2D4739853463FFAA15EA57B171A236FE4F2CB2D4FE28C924D514
                                Function 0043797E Relevance: .3, Instructions: 331COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                • Instruction ID: 708e8454946620f186a1700387687a053fc407bd339bf74556c1f47a113f5a1a
                                • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                • Instruction Fuzzy Hash: 95C1C3B220D0930AEF3D4639853063FFAA15EA67B171A675ED4F2CB2D4FE18C924D614
                                Function 00437566 Relevance: .3, Instructions: 323COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                • Instruction ID: 79ee4f31eba35b7567f7a499d226924a3a6c1d38d98321864059dc3c63d33f3d
                                • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                • Instruction Fuzzy Hash: 76C1E6B220D0930AEF3D4639853463FBAA15EA57B171A236FD4F2CB2D4FE18C924C614
                                Function 0041DBF3 Relevance: .3, Instructions: 277COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2e85d6dc501202f3c2e801dccf0940871ddf0a86c450432c97aa3465398b7722
                                • Instruction ID: 096ff1c695f9ab27d4b2dbab46670c8098de74970727e2ec16deab2a6828ec1d
                                • Opcode Fuzzy Hash: 2e85d6dc501202f3c2e801dccf0940871ddf0a86c450432c97aa3465398b7722
                                • Instruction Fuzzy Hash: EAB1A37951429A8ACB05EF68C4913F63BA1EF6A301F0850B9EC9CCF757D2398506EB24
                                Function 0043E34B Relevance: .2, Instructions: 237COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                • Instruction ID: 32d6082e35155a0a096806a6943d6f48c3d67459c64856e3d931f7c23e0710f9
                                • Opcode Fuzzy Hash: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                • Instruction Fuzzy Hash: 59618971202709A6EE34892B88967BF63949F6D314F10342FE983DB3C1D65DDD82931E
                                Function 0043E5A8 Relevance: .2, Instructions: 237COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                • Instruction ID: 5d22fc1bcc5d638cf6a4a0606be4d5c4d5bba199c703cf788a7f99cafe8d65e8
                                • Opcode Fuzzy Hash: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                • Instruction Fuzzy Hash: 12615871602718A6DA38592B88977BF2384EB2D344F94351BE483DB3C1D75EAD43871E
                                Function 0043E11C Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                • Instruction ID: 6c705508b021f12d90b9f9697341ee8142861c1d23b7247138392dbd6e0aa073
                                • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                • Instruction Fuzzy Hash: 59517671603604A7EF3445AB85567BF63899B0E304F18395FE882C73C2C52DDE02875E
                                Function 0043DEED Relevance: .2, Instructions: 214COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                • Instruction ID: 84bf5d8b6cf777f915eff3509e2c27b9c7ae744ab127a35c194aadb47efed811
                                • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                • Instruction Fuzzy Hash: E1517761E0660557DF38892A94D67BF23A59B4E308F18351FE483CB3C2C65EEE06835E
                                Function 00427C40 Relevance: .2, Instructions: 187COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5391bdb46e7b363b15ab8dfbfe7515acbec1a5683836347dd09947684361f79a
                                • Instruction ID: d4d389248adab082d17fbdeb677dfbf93ddf16fcbb8c162b69e64d6cf0e33668
                                • Opcode Fuzzy Hash: 5391bdb46e7b363b15ab8dfbfe7515acbec1a5683836347dd09947684361f79a
                                • Instruction Fuzzy Hash: 61615B72A083059BC308DF35E481A5FB7E4AFCC718F814E2EF595D6151EA74EA08CB86
                                Function 004387F0 Relevance: .1, Instructions: 76COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                • Instruction ID: 582e3a7babb983407823034c482dc4f24404013c153b7f4d28c3fef3b0c68a44
                                • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                • Instruction Fuzzy Hash: 43113B7720034183D60CAA6DC4B45BBD795EADE320FBD627FF0414B744CA2AD4459508
                                Function 00418EB1 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 328windowmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418ECB
                                • CreateCompatibleDC.GDI32(00000000), ref: 00418ED8
                                  • Part of subcall function 00419360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419390
                                • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F4E
                                • DeleteDC.GDI32(00000000), ref: 00418F65
                                • DeleteDC.GDI32(00000000), ref: 00418F68
                                • DeleteObject.GDI32(00000000), ref: 00418F6B
                                • SelectObject.GDI32(00000000,00000000), ref: 00418F8C
                                • DeleteDC.GDI32(00000000), ref: 00418F9D
                                • DeleteDC.GDI32(00000000), ref: 00418FA0
                                • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418FC4
                                • GetCursorInfo.USER32(?), ref: 00418FE2
                                • GetIconInfo.USER32(?,?), ref: 00418FF8
                                • DeleteObject.GDI32(?), ref: 00419027
                                • DeleteObject.GDI32(?), ref: 00419034
                                • DrawIcon.USER32(00000000,?,?,?), ref: 00419041
                                • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00419077
                                • GetObjectA.GDI32(00000000,00000018,?), ref: 004190A3
                                • LocalAlloc.KERNEL32(00000040,00000001), ref: 00419110
                                • GlobalAlloc.KERNEL32(00000000,?), ref: 0041917F
                                • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004191A3
                                • DeleteDC.GDI32(?), ref: 004191B7
                                • DeleteDC.GDI32(00000000), ref: 004191BA
                                • DeleteObject.GDI32(00000000), ref: 004191BD
                                • GlobalFree.KERNEL32(?), ref: 004191C8
                                • DeleteObject.GDI32(00000000), ref: 0041927C
                                • GlobalFree.KERNEL32(?), ref: 00419283
                                • DeleteDC.GDI32(?), ref: 00419293
                                • DeleteDC.GDI32(00000000), ref: 0041929E
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                                • String ID: DISPLAY
                                • API String ID: 4256916514-865373369
                                • Opcode ID: 2247b608c21a3b8abac63767662b5221d2e7e1e487ff91865d3b7fb692dc0e69
                                • Instruction ID: e1b8f987aa81746083de8242de432fb1856ba331ec6d7e725e66c1191a76d441
                                • Opcode Fuzzy Hash: 2247b608c21a3b8abac63767662b5221d2e7e1e487ff91865d3b7fb692dc0e69
                                • Instruction Fuzzy Hash: 64C14C71504301AFD720DF25DC48BABBBE9EB88715F04482EF98993291DB34ED45CB6A
                                Function 0040D45B Relevance: 49.3, APIs: 6, Strings: 22, Instructions: 282registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                  • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D558
                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D56B
                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D584
                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D5B4
                                  • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                  • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                  • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,pth_unenc), ref: 0040B910
                                  • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D7FF
                                • ExitProcess.KERNEL32 ref: 0040D80B
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                • String ID: """, 0$")$8SG$@qF$@qF$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("$xdF$xpF
                                • API String ID: 1861856835-1269936466
                                • Opcode ID: 3831aceb1d22e6e7d0b93e81b17b4507cce6e75ae5e0c8aaec154484add800c1
                                • Instruction ID: 9f807323933333198641953f201c1fc8368d74e19fdabe041c5449f7db564f80
                                • Opcode Fuzzy Hash: 3831aceb1d22e6e7d0b93e81b17b4507cce6e75ae5e0c8aaec154484add800c1
                                • Instruction Fuzzy Hash: 8791B0716082005AC315FB62D8529AF77A8AFD4309F10443FB64AA71E3EF7C9D49C65E
                                Function 0041812A Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                • GetProcAddress.KERNEL32(00000000), ref: 00418174
                                • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                • GetProcAddress.KERNEL32(00000000), ref: 00418188
                                • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                • GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                • GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                                • GetThreadContext.KERNEL32(?,00000000), ref: 00418280
                                • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004182A6
                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418328
                                • TerminateProcess.KERNEL32(?,00000000), ref: 0041833C
                                • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041837C
                                • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00418446
                                • SetThreadContext.KERNEL32(?,00000000), ref: 00418463
                                • ResumeThread.KERNEL32(?), ref: 00418470
                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418487
                                • GetCurrentProcess.KERNEL32(?), ref: 00418492
                                • TerminateProcess.KERNEL32(?,00000000), ref: 004184AD
                                • GetLastError.KERNEL32 ref: 004184B5
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                • API String ID: 4188446516-3035715614
                                • Opcode ID: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                                • Instruction ID: d7ba82c79e3f17b97bd8f2c1aaed993f07984c16d96ff77cb9dc1491e823fc6f
                                • Opcode Fuzzy Hash: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                                • Instruction Fuzzy Hash: 69A15FB0604305AFDB209F64DD85B6B7BE8FF48705F00482EF685D6291EB78D844CB59
                                Function 0040D0D1 Relevance: 44.0, APIs: 6, Strings: 19, Instructions: 260registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                  • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E0
                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1F3
                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D223
                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D232
                                  • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                  • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                  • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,pth_unenc), ref: 0040B910
                                  • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,771B3530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D44D
                                • ExitProcess.KERNEL32 ref: 0040D454
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("$xdF$xpF
                                • API String ID: 3797177996-2858374497
                                • Opcode ID: 5ea89510e99e255cff43ffc81d3dc9d7b560b2414651548bcd7dcad2d5155117
                                • Instruction ID: f7f00373e35faeae073ffedb9d5543756e5675edee5c5b567d0d61755fae189b
                                • Opcode Fuzzy Hash: 5ea89510e99e255cff43ffc81d3dc9d7b560b2414651548bcd7dcad2d5155117
                                • Instruction Fuzzy Hash: 6181AF716082405AC315FB62D8529AF77A8AFD0308F10483FB58A671E3EF7C9E49C65E
                                Function 004124B0 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 004124CF
                                • ExitProcess.KERNEL32(00000000), ref: 004124DB
                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412555
                                • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412564
                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041256F
                                • CloseHandle.KERNEL32(00000000), ref: 00412576
                                • GetCurrentProcessId.KERNEL32 ref: 0041257C
                                • PathFileExistsW.SHLWAPI(?), ref: 004125AD
                                • GetTempPathW.KERNEL32(00000104,?), ref: 00412610
                                • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041262A
                                • lstrcatW.KERNEL32(?,.exe), ref: 0041263C
                                  • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041267C
                                • Sleep.KERNEL32(000001F4), ref: 004126BD
                                • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004126D2
                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126DD
                                • CloseHandle.KERNEL32(00000000), ref: 004126E4
                                • GetCurrentProcessId.KERNEL32 ref: 004126EA
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                • String ID: .exe$8SG$WDH$exepath$open$temp_
                                • API String ID: 2649220323-436679193
                                • Opcode ID: e4498816270222a488e6bf5402939aedbcf49cf9c73125b441753154fee32edb
                                • Instruction ID: ea0e71dbd1735df2f0ffa6a76a18ae54bfb239dee3d1740714ca762960b89f4c
                                • Opcode Fuzzy Hash: e4498816270222a488e6bf5402939aedbcf49cf9c73125b441753154fee32edb
                                • Instruction Fuzzy Hash: 4C51C871A00215BBDB10ABA09C99EFE336D9B04715F1041ABF501E71D2EF7C8E858A5D
                                Function 0041B0D8 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B1CD
                                • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B1E1
                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0041B209
                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B21F
                                • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B260
                                • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B278
                                • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B28D
                                • SetEvent.KERNEL32 ref: 0041B2AA
                                • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B2BB
                                • CloseHandle.KERNEL32 ref: 0041B2CB
                                • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B2ED
                                • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B2F7
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                • API String ID: 738084811-2094122233
                                • Opcode ID: 1d877dcbc1b23002afbada965c9bddf541debd2a79e700171488071fa355c7d2
                                • Instruction ID: 904a2ea9ee052b7cd0d2885f28b370526ea16529c5f4723dacad6ab52bd59ce6
                                • Opcode Fuzzy Hash: 1d877dcbc1b23002afbada965c9bddf541debd2a79e700171488071fa355c7d2
                                • Instruction Fuzzy Hash: 015193B12842056ED314B731DC96ABF779CDB80359F10053FB246621E2EF789D498AAE
                                Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Write$Create
                                • String ID: RIFF$WAVE$data$fmt
                                • API String ID: 1602526932-4212202414
                                • Opcode ID: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                • Instruction ID: e437df56db769974f3bb03b9acf3047b6271bea3308615ff466a61b001f8e6b8
                                • Opcode Fuzzy Hash: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                • Instruction Fuzzy Hash: D1413F72644218BAE210DB51DD85FBB7FECEB89B50F40441AFA44D60C0E7A5E909DBB3
                                Function 004072AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe,00000001,00407688,C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe,00000003,004076B0,004752D8,00407709), ref: 004072BF
                                • GetProcAddress.KERNEL32(00000000), ref: 004072C8
                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072DD
                                • GetProcAddress.KERNEL32(00000000), ref: 004072E0
                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072F1
                                • GetProcAddress.KERNEL32(00000000), ref: 004072F4
                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00407305
                                • GetProcAddress.KERNEL32(00000000), ref: 00407308
                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00407319
                                • GetProcAddress.KERNEL32(00000000), ref: 0040731C
                                • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040732D
                                • GetProcAddress.KERNEL32(00000000), ref: 00407330
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressHandleModuleProc
                                • String ID: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                • API String ID: 1646373207-4064707884
                                • Opcode ID: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                • Instruction ID: 405170eedd050388d8f538cead316ce70cca9a1d875d15a5a69166cce564cbe9
                                • Opcode Fuzzy Hash: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                • Instruction Fuzzy Hash: 0A0152A0E4431676D711AF7AAC44D577E9D9E41351311487BB405E2292EEBCE800CD6E
                                Function 0040CE34 Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 203fileCOMMON
                                Download Yara Rule
                                APIs
                                • _wcslen.LIBCMT ref: 0040CE42
                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE5B
                                • CopyFileW.KERNEL32(C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CF0B
                                • _wcslen.LIBCMT ref: 0040CF21
                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CFA9
                                • CopyFileW.KERNEL32(C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe,00000000,00000000), ref: 0040CFBF
                                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFFE
                                • _wcslen.LIBCMT ref: 0040D001
                                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040D018
                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D068
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000001), ref: 0040D086
                                • ExitProcess.KERNEL32 ref: 0040D09D
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                • String ID: 6$C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe$del$open$xdF
                                • API String ID: 1579085052-4041819874
                                • Opcode ID: 1f26a9a137c80f5632c92eb2222ab7f2ba6ebdcc1e6d02a5e4a10b2a6e82a7e9
                                • Instruction ID: 98553dc1b0994f0aa09194d7cf3a18af63584d9ff732256a229fdfb73b573f5c
                                • Opcode Fuzzy Hash: 1f26a9a137c80f5632c92eb2222ab7f2ba6ebdcc1e6d02a5e4a10b2a6e82a7e9
                                • Instruction Fuzzy Hash: 3151E820208302ABD615B7359C92A6F679D9F8471DF00443FF60AA61E3EF7C9D05866E
                                Function 0041C0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenW.KERNEL32(?), ref: 0041C0C7
                                • _memcmp.LIBVCRUNTIME ref: 0041C0DF
                                • lstrlenW.KERNEL32(?), ref: 0041C0F8
                                • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C133
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C146
                                • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C18A
                                • lstrcmpW.KERNEL32(?,?), ref: 0041C1A5
                                • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C1BD
                                • _wcslen.LIBCMT ref: 0041C1CC
                                • FindVolumeClose.KERNEL32(?), ref: 0041C1EC
                                • GetLastError.KERNEL32 ref: 0041C204
                                • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C231
                                • lstrcatW.KERNEL32(?,?), ref: 0041C24A
                                • lstrcpyW.KERNEL32(?,?), ref: 0041C259
                                • GetLastError.KERNEL32 ref: 0041C261
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                • String ID: ?
                                • API String ID: 3941738427-1684325040
                                • Opcode ID: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                • Instruction ID: 8d48ee17a24f37a9bc83e71ffc922dd471ae74eb47091415c6e266b1ff6a60c4
                                • Opcode Fuzzy Hash: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                • Instruction Fuzzy Hash: B541A671584316EBD720DFA0DC889DBB7ECEB84745F00092BF545D2162EB78CA88CB96
                                Function 00412AEF Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 482sleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412B08
                                  • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,771B3530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                  • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                  • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                • Sleep.KERNEL32(0000000A,00465E84), ref: 00412C5A
                                • Sleep.KERNEL32(0000000A,00465E84,00465E84), ref: 00412CFC
                                • Sleep.KERNEL32(0000000A,00465E84,00465E84,00465E84), ref: 00412D9E
                                • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E00
                                • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E37
                                • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E73
                                • Sleep.KERNEL32(000001F4,00465E84,00465E84,00465E84), ref: 00412E8D
                                • Sleep.KERNEL32(00000064), ref: 00412ECF
                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                • String ID: /stext "$,aF$0TG$0TG$NG$NG
                                • API String ID: 1223786279-4119708859
                                • Opcode ID: 583ba9445512bb489e6982821745b4eb08553e1fb02bb9889d9df513220c5935
                                • Instruction ID: 10d3359c81a21c2239512d2238f4034584c87ebec4848cfd83014516dee20f06
                                • Opcode Fuzzy Hash: 583ba9445512bb489e6982821745b4eb08553e1fb02bb9889d9df513220c5935
                                • Instruction Fuzzy Hash: 2F0268315083414AC325FB62D891AEFB3E5AFD4348F50483FF58A931E2EF785A49C65A
                                Function 0044F4AD Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$EnvironmentVariable$_wcschr
                                • String ID:
                                • API String ID: 3899193279-0
                                • Opcode ID: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                • Instruction ID: 2409d22e097b45b84bdb59948eb4ebc1cd1141af37d2d18b4001dba56dac1aed
                                • Opcode Fuzzy Hash: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                • Instruction Fuzzy Hash: E3D135B1D003006FFB24AF799D82A6B7BA8EF01314F05417FE945A7382EB7D99098759
                                Function 00408BB5 Relevance: 23.1, APIs: 8, Strings: 5, Instructions: 328fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408D1E
                                • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D56
                                • __aulldiv.LIBCMT ref: 00408D88
                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408EAB
                                • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408EC6
                                • CloseHandle.KERNEL32(00000000), ref: 00408F9F
                                • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FE9
                                • CloseHandle.KERNEL32(00000000), ref: 00409037
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $xdF$NG
                                • API String ID: 3086580692-3944908133
                                • Opcode ID: e4fe33b0ccd7bee26e0fcfd36d7c202bf2793e1efbb0fc5c504c45f4694d4eb6
                                • Instruction ID: 3fce176daff91a8ac67d7e00268aa6ddaa8eb0a69c3dc15cdf5b3728eb075172
                                • Opcode Fuzzy Hash: e4fe33b0ccd7bee26e0fcfd36d7c202bf2793e1efbb0fc5c504c45f4694d4eb6
                                • Instruction Fuzzy Hash: CCB1A1316083409BC314FB26C941AAFB7E5AFC4358F40492FF589622D2EF789945CB8B
                                Function 0040A761 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 163sleepCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNEL32(00001388), ref: 0040A77B
                                  • Part of subcall function 0040A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                  • Part of subcall function 0040A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                  • Part of subcall function 0040A6B0: Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                  • Part of subcall function 0040A6B0: CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A7B7
                                • GetFileAttributesW.KERNEL32(00000000), ref: 0040A7C8
                                • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7DF
                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A859
                                  • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A962
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                • String ID: 8SG$8SG$pQG$pQG$xdF$PG$PG
                                • API String ID: 3795512280-661585845
                                • Opcode ID: db686e10471e88e88e6c2a6410797b3bbe7a67903047043a717f9aa792139144
                                • Instruction ID: 2a79d88b44a8fc0b04dcb000ea34af81e4c48788ca5147296d011aa32960a087
                                • Opcode Fuzzy Hash: db686e10471e88e88e6c2a6410797b3bbe7a67903047043a717f9aa792139144
                                • Instruction Fuzzy Hash: B6516E716043015ACB15BB72C866ABE77AA9F80349F00483FF646B71E2DF7C9D09865E
                                Function 0041D620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                Download Yara Rule
                                APIs
                                • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D66B
                                • GetCursorPos.USER32(?), ref: 0041D67A
                                • SetForegroundWindow.USER32(?), ref: 0041D683
                                • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D69D
                                • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D6EE
                                • ExitProcess.KERNEL32 ref: 0041D6F6
                                • CreatePopupMenu.USER32 ref: 0041D6FC
                                • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D711
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                • String ID: Close
                                • API String ID: 1657328048-3535843008
                                • Opcode ID: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                • Instruction ID: ffebe08b42ddc2cad69fc5dc181b4667ce265f065f51bc56e4a7814a85689449
                                • Opcode Fuzzy Hash: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                • Instruction Fuzzy Hash: 2D213BB1544209FFDF155FA4ED0EAAA3F35EB08302F000125F909951B2D779EDA1EB19
                                Function 00445DD7 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$Info
                                • String ID:
                                • API String ID: 2509303402-0
                                • Opcode ID: 6f6fc0ac27b4b2f00b1102b51bee0220b0be09f2ed36c41455f2b0a14b53fe9c
                                • Instruction ID: 03d8b0dccc9171d7b4ee81f85837dfa1205ba0d7832ce976ccf3d084d520ac26
                                • Opcode Fuzzy Hash: 6f6fc0ac27b4b2f00b1102b51bee0220b0be09f2ed36c41455f2b0a14b53fe9c
                                • Instruction Fuzzy Hash: AFB1CE719002059FEB21DF69C881BEEBBF4BF09304F15842EF495A7242DB79AC458B69
                                Function 0040D83A Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 148COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                  • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                  • Part of subcall function 00413733: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 0041374F
                                  • Part of subcall function 00413733: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                                  • Part of subcall function 00413733: RegCloseKey.ADVAPI32(00000000), ref: 00413773
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D894
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D9F3
                                • ExitProcess.KERNEL32 ref: 0040D9FF
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open$xdF
                                • API String ID: 1913171305-1736969612
                                • Opcode ID: b69e3863cd24d91f8d09930e85150bb1700edda50eabfefcd59ed8dd1b1ec919
                                • Instruction ID: 6f299f75ad759bd4c56b3f4cab90e5e1fe41ff60d22e8747b975e3d2bb757992
                                • Opcode Fuzzy Hash: b69e3863cd24d91f8d09930e85150bb1700edda50eabfefcd59ed8dd1b1ec919
                                • Instruction Fuzzy Hash: 9B4129719001155ACB15FBA2DC56DEEB778AF50709F10017FB10AB21E2FF785E8ACA98
                                Function 00414DC1 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 109libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                • LoadLibraryA.KERNEL32(?), ref: 00414E52
                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                • FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                • LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                • FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                • GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                • FreeLibrary.KERNEL32(00000000), ref: 00414EF0
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                • String ID: \ws2_32$\wship6$getaddrinfo
                                • API String ID: 2490988753-3078833738
                                • Opcode ID: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                • Instruction ID: 3d65f6a93fba2a0b2eac8854c7d2b2934d6e6a161d7d6dc9994b6ec54a408268
                                • Opcode Fuzzy Hash: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                • Instruction Fuzzy Hash: 5E31C4B1905315A7D7209F65CC84DDF76DCAB84754F004A2AF944A3210D738D985CBAE
                                Function 00451346 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • ___free_lconv_mon.LIBCMT ref: 0045138A
                                  • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                                  • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                                  • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                                  • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                                  • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                                  • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                                  • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                                  • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                                  • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                                • _free.LIBCMT ref: 0045137F
                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                • _free.LIBCMT ref: 004513A1
                                • _free.LIBCMT ref: 004513B6
                                • _free.LIBCMT ref: 004513C1
                                • _free.LIBCMT ref: 004513E3
                                • _free.LIBCMT ref: 004513F6
                                • _free.LIBCMT ref: 00451404
                                • _free.LIBCMT ref: 0045140F
                                • _free.LIBCMT ref: 00451447
                                • _free.LIBCMT ref: 0045144E
                                • _free.LIBCMT ref: 0045146B
                                • _free.LIBCMT ref: 00451483
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                • String ID:
                                • API String ID: 161543041-0
                                • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                • Instruction ID: 2428002f6fd8eb1a99257b9b861ac38f7c05b5b97acacff09fd9d8cf260fe807
                                • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                • Instruction Fuzzy Hash: 403193715003009FEB20AA39D846F5B73E8EF02315F62992FE849D7662DF78AD44C729
                                Function 0041A045 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 0041A04A
                                • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 0041A07C
                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A108
                                • Sleep.KERNEL32(000003E8), ref: 0041A18E
                                • GetLocalTime.KERNEL32(?), ref: 0041A196
                                • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A285
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                                • API String ID: 489098229-1431523004
                                • Opcode ID: ef3a2b2680ef5ec4cf1756d8d4e3928048fec3981f722f661be4b2a60a96407b
                                • Instruction ID: 12d64888f2a2aa40a87de1a625a26b3edd7a2139bf4817292c9f8cf1352d8a2d
                                • Opcode Fuzzy Hash: ef3a2b2680ef5ec4cf1756d8d4e3928048fec3981f722f661be4b2a60a96407b
                                • Instruction Fuzzy Hash: 7A517D70A002159ACB14BBB5C8529FD77A9AF54308F40407FF509AB1E2EF7C9D85C799
                                Function 00450680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID:
                                • API String ID: 269201875-0
                                • Opcode ID: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                • Instruction ID: 80ca3ff3fa16d46db3e6ae4c9b8471dba03f652ca918f9f25067e0b92ee87d4d
                                • Opcode Fuzzy Hash: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                • Instruction Fuzzy Hash: 30C183B6D40204ABEB20DBA9CC43FDE77F8AB09705F150166FE04EB283D6B49D459768
                                Function 00455C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00455929: CreateFileW.KERNEL32(00000000,00000000,?,00455D04,?,?,00000000,?,00455D04,00000000,0000000C), ref: 00455946
                                • GetLastError.KERNEL32 ref: 00455D6F
                                • __dosmaperr.LIBCMT ref: 00455D76
                                • GetFileType.KERNEL32(00000000), ref: 00455D82
                                • GetLastError.KERNEL32 ref: 00455D8C
                                • __dosmaperr.LIBCMT ref: 00455D95
                                • CloseHandle.KERNEL32(00000000), ref: 00455DB5
                                • CloseHandle.KERNEL32(?), ref: 00455EFF
                                • GetLastError.KERNEL32 ref: 00455F31
                                • __dosmaperr.LIBCMT ref: 00455F38
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                • String ID: H
                                • API String ID: 4237864984-2852464175
                                • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                • Instruction ID: 7cd045c9b8f196398d23f94ba58010557f508cd7b58f44c29b3e784ccbbfb847
                                • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                • Instruction Fuzzy Hash: 44A14532A106049FDF19AF68DC657BE3BA0EB06325F24015EEC11AB392D6398D1AC759
                                Function 00450AA5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID: \&G$\&G$`&G
                                • API String ID: 269201875-253610517
                                • Opcode ID: d7fd4124445081cfc97c5454a1c142f1a87d4c625925bb8ca3a98cb7b9f8d762
                                • Instruction ID: 59c4f5d9f803fa3be21c2588ad204ea2c1e8261bb9e1a4607c4596bf86990b35
                                • Opcode Fuzzy Hash: d7fd4124445081cfc97c5454a1c142f1a87d4c625925bb8ca3a98cb7b9f8d762
                                • Instruction Fuzzy Hash: 86610E75900205AFDB21DF69C842B9ABBF4EF06710F24426BED44EB242E774AD45CB58
                                Function 00414BEB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 65535$udp
                                • API String ID: 0-1267037602
                                • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                • Instruction ID: a9902b4e2b63063b067a15c036b171ad6d3a8658db747517b03e91dd9f9ead29
                                • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                • Instruction Fuzzy Hash: FB51D431605301ABDB609B14E905BFB77E8ABC5754F08042FF88597390E76CCCC1969E
                                Function 0040AD11 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                Download Yara Rule
                                APIs
                                • __Init_thread_footer.LIBCMT ref: 0040AD73
                                • Sleep.KERNEL32(000001F4), ref: 0040AD7E
                                • GetForegroundWindow.USER32 ref: 0040AD84
                                • GetWindowTextLengthW.USER32(00000000), ref: 0040AD8D
                                • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040ADC1
                                • Sleep.KERNEL32(000003E8), ref: 0040AE8F
                                  • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                • String ID: [${ User has been idle for $ minutes }$]
                                • API String ID: 911427763-3954389425
                                • Opcode ID: d4ca50f3b9696d63b5f7e64a9610b0c227878be3d70e665079abdcdf3b1860e6
                                • Instruction ID: 479ab846abdc3ffa357cf8cfb056c4a9d7a1c57035fbb5610920680a3dc8d5cf
                                • Opcode Fuzzy Hash: d4ca50f3b9696d63b5f7e64a9610b0c227878be3d70e665079abdcdf3b1860e6
                                • Instruction Fuzzy Hash: 1251E2716043419BD714FB22D856AAE7795AF84308F10093FF986A22E2EF7C9D44C69F
                                Function 0041697B Relevance: 17.5, APIs: 8, Strings: 2, Instructions: 46clipboardCOMMON
                                Download Yara Rule
                                APIs
                                • OpenClipboard.USER32 ref: 0041697C
                                • EmptyClipboard.USER32 ref: 0041698A
                                • CloseClipboard.USER32 ref: 00416990
                                • OpenClipboard.USER32 ref: 00416997
                                • GetClipboardData.USER32(0000000D), ref: 004169A7
                                • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                • CloseClipboard.USER32 ref: 004169BF
                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                • String ID: !D@$xdF
                                • API String ID: 2172192267-3540039394
                                • Opcode ID: 0916ac08766f268bc748aa182f3e4d0b5c60d1c6def3acf1de95a0795d360f37
                                • Instruction ID: c3dc955394dadbf9cb8fa72aed918e4e170398eafb94270add22466952777bd7
                                • Opcode Fuzzy Hash: 0916ac08766f268bc748aa182f3e4d0b5c60d1c6def3acf1de95a0795d360f37
                                • Instruction Fuzzy Hash: AA014C31204301EFC714BB72DC49AAE7BA5AF88742F40047EF906861E2DF388C45C659
                                Function 0043A8BA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A912
                                • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A91F
                                • __dosmaperr.LIBCMT ref: 0043A926
                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A952
                                • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A95C
                                • __dosmaperr.LIBCMT ref: 0043A963
                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A9A6
                                • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A9B0
                                • __dosmaperr.LIBCMT ref: 0043A9B7
                                • _free.LIBCMT ref: 0043A9C3
                                • _free.LIBCMT ref: 0043A9CA
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                • String ID:
                                • API String ID: 2441525078-0
                                • Opcode ID: 9262cdba7b4adcfb063e64ce379082e8e02018adb4241b1373288f504c0df5cf
                                • Instruction ID: 3a2165a63a30732921e8d6571a772c998230e0148124485b419b79488018c54b
                                • Opcode Fuzzy Hash: 9262cdba7b4adcfb063e64ce379082e8e02018adb4241b1373288f504c0df5cf
                                • Instruction Fuzzy Hash: 8631D5B180420AFBDF01AFA5CC45EAF3B6CEF09324F11451AF950662A1DB38CD61DB66
                                Function 00411530 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 191COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Eventinet_ntoa
                                • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$x<z$NG
                                • API String ID: 3578746661-989786660
                                • Opcode ID: 4ceb88d166270ac6dfb1d2b16e550667666bb2b580eec511b7802f67d82c2f81
                                • Instruction ID: 5b49fc9f60f15aadef5e91219dcc0d557585a55aed20fbc46105045b647f8dc0
                                • Opcode Fuzzy Hash: 4ceb88d166270ac6dfb1d2b16e550667666bb2b580eec511b7802f67d82c2f81
                                • Instruction Fuzzy Hash: 5351D531A042015BC714FB36D95AAAE36A5AB84344F40453FFA06676F2EF7C8985C7CE
                                Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • SetEvent.KERNEL32(?,?), ref: 004054BF
                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                • TranslateMessage.USER32(?), ref: 0040557E
                                • DispatchMessageA.USER32(?), ref: 00405589
                                • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                • String ID: CloseChat$DisplayMessage$GetMessage
                                • API String ID: 2956720200-749203953
                                • Opcode ID: c169fda0156d4d4cd66ad22aedc816e36154925b5c0f60d04c95d765b92539fd
                                • Instruction ID: d37e718accd843302ceacc2187c81124e04698433963f5de03abd71ab6b9016f
                                • Opcode Fuzzy Hash: c169fda0156d4d4cd66ad22aedc816e36154925b5c0f60d04c95d765b92539fd
                                • Instruction Fuzzy Hash: 39419071A04301ABCB14FB76DC5A86F37A9AB85704F40493EF516A31E1EF3C8905CB9A
                                Function 00413D48 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 135registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D81
                                  • Part of subcall function 00413A90: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                  • Part of subcall function 00413A90: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                • RegCloseKey.ADVAPI32(00000000,004660B4,004660B4,00466478,00466478,00000071), ref: 00413EEF
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEnumInfoOpenQuerysend
                                • String ID: (aF$,aF$xUG$xdF$NG$NG$TG
                                • API String ID: 3114080316-4028018678
                                • Opcode ID: 41c5b533bfdd4dc7bc564f964c13997d50c19c3080b78ed77f2a73134fac0371
                                • Instruction ID: 39136fa66a1b3d14a29046baa0c8a2124f92290552efa608aac098e6c3039c27
                                • Opcode Fuzzy Hash: 41c5b533bfdd4dc7bc564f964c13997d50c19c3080b78ed77f2a73134fac0371
                                • Instruction Fuzzy Hash: 03419F316042005AC324F726D852AEF76A99FD1384F40883FF549671D2EF7C5949866E
                                Function 00417D1A Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00417F67: __EH_prolog.LIBCMT ref: 00417F6C
                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 00417E17
                                • CloseHandle.KERNEL32(00000000), ref: 00417E20
                                • DeleteFileA.KERNEL32(00000000), ref: 00417E2F
                                • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DE3
                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                • String ID: 0VG$0VG$<$@$Temp
                                • API String ID: 1704390241-2575729100
                                • Opcode ID: 80ffa916d59d600171d9ca3e34e0670cc9ac865161bbbc65e8436c0bee0f72cd
                                • Instruction ID: 01f79aac078c9204ae4226344def03f9678a0966abb138ad227abf0e83d93267
                                • Opcode Fuzzy Hash: 80ffa916d59d600171d9ca3e34e0670cc9ac865161bbbc65e8436c0bee0f72cd
                                • Instruction Fuzzy Hash: 18417E319002099ACB14FB62DC56AEE7735AF00318F50417EF50A761E1EF7C5A8ACB99
                                Function 00410E9C Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75COMMON
                                Download Yara Rule
                                APIs
                                • std::_Lockit::_Lockit.LIBCPMT ref: 00410EA9
                                • int.LIBCPMT ref: 00410EBC
                                  • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                  • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                • std::_Facet_Register.LIBCPMT ref: 00410EFC
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 00410F05
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00410F23
                                • __Init_thread_footer.LIBCMT ref: 00410F64
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                • String ID: ,kG$0kG$@!G
                                • API String ID: 3815856325-312998898
                                • Opcode ID: 234cc645e6f2b623d94fc8cb2d29f52bc734eee13d30ec18b0bfe81019bed365
                                • Instruction ID: 6b7561e6e5701aa818233467e21ea388c72e3112cb5a37ed7db11c94fdfc7bf8
                                • Opcode Fuzzy Hash: 234cc645e6f2b623d94fc8cb2d29f52bc734eee13d30ec18b0bfe81019bed365
                                • Instruction Fuzzy Hash: 682129329005249BCB14FB6AD8429DE77A9DF48324F21416FF404E72D1DFB9AD818B9D
                                Function 0041AB9E Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABAD
                                • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABC4
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABD1
                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABE0
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF1
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF4
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ControlManager
                                • String ID:
                                • API String ID: 221034970-0
                                • Opcode ID: 096e2c87fc6c65f47e4c6c752a7259066b900e282f660f6c8049b8ab8b72f741
                                • Instruction ID: a7ddf6af562b27afc3fdb57d9320cc893b1711f81dd6882f7bac22400d97ef93
                                • Opcode Fuzzy Hash: 096e2c87fc6c65f47e4c6c752a7259066b900e282f660f6c8049b8ab8b72f741
                                • Instruction Fuzzy Hash: 1411E931501218BFD711AF64DC85CFF3B6CDB41B66B000426FA0692191EB689D46AAFA
                                Function 004481A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 004481B5
                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                • _free.LIBCMT ref: 004481C1
                                • _free.LIBCMT ref: 004481CC
                                • _free.LIBCMT ref: 004481D7
                                • _free.LIBCMT ref: 004481E2
                                • _free.LIBCMT ref: 004481ED
                                • _free.LIBCMT ref: 004481F8
                                • _free.LIBCMT ref: 00448203
                                • _free.LIBCMT ref: 0044820E
                                • _free.LIBCMT ref: 0044821C
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                • Instruction ID: 68a5115f29dd4dda1e04096f5587add38bc33a27c3b2fba9646c6a67a64c999e
                                • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                • Instruction Fuzzy Hash: AA11E9B6901108BFDB01FF55C852CDD3B65FF05354B0244AAF9488F222DB75DE509B95
                                Function 0041C720 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 214registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C742
                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C786
                                • RegCloseKey.ADVAPI32(?), ref: 0041CA50
                                Strings
                                • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041C738
                                • DisplayName, xrefs: 0041C7CD
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEnumOpen
                                • String ID: DisplayName$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                • API String ID: 1332880857-3614651759
                                • Opcode ID: 0758d2217d4cdf4be18b27332201ce298183b926a753a4e26667fde6bb3e7a3c
                                • Instruction ID: 8204223968f620e226549da85b9b34a309c849e8d9bbed411749b7727356edba
                                • Opcode Fuzzy Hash: 0758d2217d4cdf4be18b27332201ce298183b926a753a4e26667fde6bb3e7a3c
                                • Instruction Fuzzy Hash: 3E8133311082459BC325EF11D851EEFB7E8BF94309F10492FB589921A2FF74AE49CA5A
                                Function 004174D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417530
                                  • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                • Sleep.KERNEL32(00000064), ref: 0041755C
                                • DeleteFileW.KERNEL32(00000000), ref: 00417590
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CreateDeleteExecuteShellSleep
                                • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                • API String ID: 1462127192-2001430897
                                • Opcode ID: 74e705e902443d92e757842fd98a6aa38e7ce8337cfacc1c2ca4f7e1e99f0fa5
                                • Instruction ID: 6598d36db715e58345e35b35962d03aab6dacf30af49f41f33489dbeb2d48940
                                • Opcode Fuzzy Hash: 74e705e902443d92e757842fd98a6aa38e7ce8337cfacc1c2ca4f7e1e99f0fa5
                                • Instruction Fuzzy Hash: 17313F71940119AADB04FB61DC96DED7735AF50309F00017EF606731E2EF785A8ACA9C
                                Function 004073E7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 00407418
                                • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407691,C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe), ref: 004074D9
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: CurrentProcess
                                • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                • API String ID: 2050909247-4242073005
                                • Opcode ID: c959bd930998c8f390064940774d0a1512e2843fb7eeb626fe9b06c6253c3d56
                                • Instruction ID: c8d37550e6f1e63eabf3c93e4c9511e0cbcdb01d3c289a22ccdf2b55afca88d7
                                • Opcode Fuzzy Hash: c959bd930998c8f390064940774d0a1512e2843fb7eeb626fe9b06c6253c3d56
                                • Instruction Fuzzy Hash: DE317EB1A44300ABD314EF65DD46F1677B8BB04705F10087EF509A6692EBB8B8458B6F
                                Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                Download Yara Rule
                                APIs
                                • _strftime.LIBCMT ref: 00401D50
                                  • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                                • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                • API String ID: 3809562944-243156785
                                • Opcode ID: 272d9e95f202b5b87e8d6f02197a65f7d4795c5aee8df22827821352ca84ba3d
                                • Instruction ID: 12771182903f202c4b9d99511a6abf0f0559d076e6e3c56183b1657b5f9df8bc
                                • Opcode Fuzzy Hash: 272d9e95f202b5b87e8d6f02197a65f7d4795c5aee8df22827821352ca84ba3d
                                • Instruction Fuzzy Hash: AA318F315043019FC324EB22DC56A9E77A8FB84315F40443EF189A21F2EFB89A49CB5E
                                Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                Download Yara Rule
                                APIs
                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                                • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                • waveInStart.WINMM ref: 00401CFE
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                • String ID: dMG$|MG$PG
                                • API String ID: 1356121797-532278878
                                • Opcode ID: 6aa69cd6a01d0fe2356010249b9bd36d42245e4d7c734ee1dd99acc2b44a8f66
                                • Instruction ID: 1e392cdedf79dd274444ae0cc0b76d6cc185fd36309c60cea9b16e967c73269b
                                • Opcode Fuzzy Hash: 6aa69cd6a01d0fe2356010249b9bd36d42245e4d7c734ee1dd99acc2b44a8f66
                                • Instruction Fuzzy Hash: 51212A71604201AFC7399F66EE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                Function 0041D4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D507
                                  • Part of subcall function 0041D5A0: RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                  • Part of subcall function 0041D5A0: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                  • Part of subcall function 0041D5A0: GetLastError.KERNEL32 ref: 0041D611
                                • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D53E
                                • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D558
                                • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D56E
                                • TranslateMessage.USER32(?), ref: 0041D57A
                                • DispatchMessageA.USER32(?), ref: 0041D584
                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D591
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                • String ID: Remcos
                                • API String ID: 1970332568-165870891
                                • Opcode ID: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                • Instruction ID: 0a96d410cd687733bc2db9baaca44b2a156926270a6f860d3af68fdb0bcdced8
                                • Opcode Fuzzy Hash: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                • Instruction Fuzzy Hash: CA0152B1840244EBD7109FA5EC4CFABBB7CEBC5705F00406AF515931A1D778D885CB58
                                Function 0044CE00 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2617abffa626f75de14076698c196880abdc2722d48b4afa90194addc5c06332
                                • Instruction ID: c312da418a410335279f0cc1971bad4557be7deeadefc114a47e367d78dfde09
                                • Opcode Fuzzy Hash: 2617abffa626f75de14076698c196880abdc2722d48b4afa90194addc5c06332
                                • Instruction Fuzzy Hash: 94C1FA70D04249AFEF11DFA8CC41BAE7BB0AF09304F19415AE915A7392C77C9941CB69
                                Function 00453E03 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                Download Yara Rule
                                APIs
                                • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,004540DC,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453EAF
                                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F32
                                • __alloca_probe_16.LIBCMT ref: 00453F6A
                                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,004540DC,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FC5
                                • __alloca_probe_16.LIBCMT ref: 00454014
                                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FDC
                                  • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00454058
                                • __freea.LIBCMT ref: 00454083
                                • __freea.LIBCMT ref: 0045408F
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                • String ID:
                                • API String ID: 201697637-0
                                • Opcode ID: aca7b2e34d6fca180bf378bc8fe33df5bb5a65d5f6b622e42f01d4b2dcd141bd
                                • Instruction ID: 957693029e8655488503f3238c5b69ab87e72ad781d0cd1ca1c521277c14990f
                                • Opcode Fuzzy Hash: aca7b2e34d6fca180bf378bc8fe33df5bb5a65d5f6b622e42f01d4b2dcd141bd
                                • Instruction Fuzzy Hash: 2B91D472E002069BDB208E65C846EEFBBF59F49756F14051BED00EB282D73DCD898769
                                Function 004451FA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                  • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                  • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                  • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                • _memcmp.LIBVCRUNTIME ref: 004454A4
                                • _free.LIBCMT ref: 00445515
                                • _free.LIBCMT ref: 0044552E
                                • _free.LIBCMT ref: 00445560
                                • _free.LIBCMT ref: 00445569
                                • _free.LIBCMT ref: 00445575
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorLast$_abort_memcmp
                                • String ID: C
                                • API String ID: 1679612858-1037565863
                                • Opcode ID: 05701d8adb5406d1562c14b31316c91fe53ace2ea37426e70e906b20dbb38a64
                                • Instruction ID: c5fa7cd4a0def74fccfc383a36f0c71fd12082b8797d706f49daa7c6421ebafc
                                • Opcode Fuzzy Hash: 05701d8adb5406d1562c14b31316c91fe53ace2ea37426e70e906b20dbb38a64
                                • Instruction Fuzzy Hash: D4B13775A016199FEB24DF18C885BAEB7B4FF48304F5085EAE809A7351E774AE90CF44
                                Function 00414945 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: tcp$udp
                                • API String ID: 0-3725065008
                                • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                • Instruction ID: 4fb2fbaa1818e082f2863e0a7c91e4ace7fe62ed23b491eff3584b955907a2f3
                                • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                • Instruction Fuzzy Hash: FC7197706083028FDB248F55D4817ABB7E4AFC8355F20482FF88697351E778DE858B9A
                                Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                Download Yara Rule
                                APIs
                                • __Init_thread_footer.LIBCMT ref: 004018BE
                                • ExitThread.KERNEL32 ref: 004018F6
                                • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                                  • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                • String ID: PkG$XMG$NG$NG
                                • API String ID: 1649129571-3151166067
                                • Opcode ID: 9cf1a6a6ab44acaa0afd0f96b31692beec7e5e585697f57ef5384488ba1b4939
                                • Instruction ID: 94ec9d015e3317cd6a1a8c0f3f0e5257b1b149af30ff9c9aaa6ade548e88cebb
                                • Opcode Fuzzy Hash: 9cf1a6a6ab44acaa0afd0f96b31692beec7e5e585697f57ef5384488ba1b4939
                                • Instruction Fuzzy Hash: 7441D5312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D4AC71D
                                Function 0040799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FB4,?,00000000,00408037,00000000), ref: 00407A00
                                • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A48
                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                • CloseHandle.KERNEL32(00000000,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A88
                                • MoveFileW.KERNEL32(00000000,00000000), ref: 00407AA5
                                • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AD0
                                • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AE0
                                  • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
                                  • Part of subcall function 00404B96: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                • String ID: .part
                                • API String ID: 1303771098-3499674018
                                • Opcode ID: 3afc2f85f810e2c46033f561f8352aaa8f531af2af3959b11cfb50950e871b37
                                • Instruction ID: fa021c15c5d1e87e569c09a19ead990ccf19330fc060556597d24b4305e87d8f
                                • Opcode Fuzzy Hash: 3afc2f85f810e2c46033f561f8352aaa8f531af2af3959b11cfb50950e871b37
                                • Instruction Fuzzy Hash: 3A31B571508345AFC310EB61D84599FB3A8FF94359F00493FB945A21D2EB78EE08CB9A
                                Function 0041CE2C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON
                                Download Yara Rule
                                APIs
                                • AllocConsole.KERNEL32(00475338), ref: 0041CE35
                                • GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                • ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Console$Window$AllocOutputShow
                                • String ID: Remcos v$5.1.3 Pro$CONOUT$
                                • API String ID: 4067487056-2212855755
                                • Opcode ID: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                • Instruction ID: 6efa3de70d430de9448838496adf33c47162c0890a3ad1875f095e209401f165
                                • Opcode Fuzzy Hash: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                • Instruction Fuzzy Hash: A90144B1A80304BBD610F7F19C8BF9E77AC9B14B05F500527BA04A70D2EB6DD944466E
                                Function 0044ACC9 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044AD23
                                • __alloca_probe_16.LIBCMT ref: 0044AD5B
                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044ADA9
                                • __alloca_probe_16.LIBCMT ref: 0044AE40
                                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AEA3
                                • __freea.LIBCMT ref: 0044AEB0
                                  • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                • __freea.LIBCMT ref: 0044AEB9
                                • __freea.LIBCMT ref: 0044AEDE
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                • String ID:
                                • API String ID: 3864826663-0
                                • Opcode ID: fdde0a3fba0e2e79fb92f6962f835a9100c7e8c667bc286140aaf21858552f70
                                • Instruction ID: de232b2c18f644b0009b05ef7aad101f1c584e700cc6948cb3d999d9ae9be8cc
                                • Opcode Fuzzy Hash: fdde0a3fba0e2e79fb92f6962f835a9100c7e8c667bc286140aaf21858552f70
                                • Instruction Fuzzy Hash: 41514C72A80206AFFB258F64CC41EBF77A9DB44750F25462EFC14D7240EB38DC60869A
                                Function 004199DB Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • SendInput.USER32 ref: 00419A25
                                • SendInput.USER32(00000001,?,0000001C,00000000), ref: 00419A4D
                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A74
                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A92
                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AB2
                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AD7
                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AF9
                                • SendInput.USER32(00000001,00000000,0000001C), ref: 00419B1C
                                  • Part of subcall function 004199CE: MapVirtualKeyA.USER32(00000000,00000000), ref: 004199D4
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: InputSend$Virtual
                                • String ID:
                                • API String ID: 1167301434-0
                                • Opcode ID: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                • Instruction ID: b6cba15de7ba168fc32b54cb564de1fb898aed6d56f2455a0f9f7e0387a20004
                                • Opcode Fuzzy Hash: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                • Instruction Fuzzy Hash: 2431AE71218349A9E220DFA5DC41BDFBBECAF89B44F04080FF58457291CAA49D8C876B
                                Function 004475F1 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: __freea$__alloca_probe_16_free
                                • String ID: a/p$am/pm$h{D
                                • API String ID: 2936374016-2303565833
                                • Opcode ID: f278f6ccdddd9c8957b45727c0f983370dbb743190d53240140d279861cd7d37
                                • Instruction ID: c225e1f32c331ede1d29eb10815d0f52c76e58365e66366979e06629ded2ae5c
                                • Opcode Fuzzy Hash: f278f6ccdddd9c8957b45727c0f983370dbb743190d53240140d279861cd7d37
                                • Instruction Fuzzy Hash: 94D1E1719082068AFB299F68C845ABFB7B1EF05300F28455BE501AB351D73D9E43CBA9
                                Function 00444D7C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                • _free.LIBCMT ref: 00444E87
                                • _free.LIBCMT ref: 00444E9E
                                • _free.LIBCMT ref: 00444EBD
                                • _free.LIBCMT ref: 00444ED8
                                • _free.LIBCMT ref: 00444EEF
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$AllocateHeap
                                • String ID: KED
                                • API String ID: 3033488037-2133951994
                                • Opcode ID: 608df991a786fcfe36087b9db06c0af1d3846aff496c4c9c780995c6b43937c3
                                • Instruction ID: 6eb5fd97c930506827bd935ec23fdf2bd7e2f8155051dcdfd38a61b70e77380a
                                • Opcode Fuzzy Hash: 608df991a786fcfe36087b9db06c0af1d3846aff496c4c9c780995c6b43937c3
                                • Instruction Fuzzy Hash: 2351B371A00604ABEB20DF29CC42B6B77F4FF89724B25456EE809D7751E739E901CB98
                                Function 00413A90 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413BC6
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Enum$InfoQueryValue
                                • String ID: [regsplt]$xUG$TG
                                • API String ID: 3554306468-1165877943
                                • Opcode ID: 3ae30d7ecb9fae8e4ccd993942d297444c427d96697049075d9978310107aade
                                • Instruction ID: 25111a67c66830bda9a991cbd11294aa9b1843c944dfd5f4caafe5fa1545c2ae
                                • Opcode Fuzzy Hash: 3ae30d7ecb9fae8e4ccd993942d297444c427d96697049075d9978310107aade
                                • Instruction Fuzzy Hash: 05512D71900219AADB11EB95DC86EEEB77DAF04305F10007AE505B6191EF746B48CBA9
                                Function 0044B43C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044BBB1,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B47E
                                • __fassign.LIBCMT ref: 0044B4F9
                                • __fassign.LIBCMT ref: 0044B514
                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B53A
                                • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BBB1,00000000,?,?,?,?,?,?,?,?,?,0044BBB1,?), ref: 0044B559
                                • WriteFile.KERNEL32(?,?,00000001,0044BBB1,00000000,?,?,?,?,?,?,?,?,?,0044BBB1,?), ref: 0044B592
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                • String ID:
                                • API String ID: 1324828854-0
                                • Opcode ID: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                • Instruction ID: 262f0c9efa3d8d05c94b564727faad167cb6e35c827a04fe4b8fb241bd644287
                                • Opcode Fuzzy Hash: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                • Instruction Fuzzy Hash: 2151B470A00249AFDB10CFA8D845AEEFBF8EF09304F14456BE955E7291E734D941CBA9
                                Function 0041B71B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00413656: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 00413678
                                  • Part of subcall function 00413656: RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                  • Part of subcall function 00413656: RegCloseKey.ADVAPI32(?), ref: 004136A0
                                  • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                  • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                • _wcslen.LIBCMT ref: 0041B7F4
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                • API String ID: 3286818993-122982132
                                • Opcode ID: 21ce8c3951ea68e9f4768855c246d238a69c4de2a44f28aaa4944944c55ea733
                                • Instruction ID: 00334f857bbe6022557327a28fa8f115e820bd32ca6b34e50ab8c41aa79dd428
                                • Opcode Fuzzy Hash: 21ce8c3951ea68e9f4768855c246d238a69c4de2a44f28aaa4944944c55ea733
                                • Instruction Fuzzy Hash: 42218872A001046BDB14BAB59CD6AFE766D9B48728F10043FF505B72C3EE3C9D49426D
                                Function 0040BF24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                  • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                  • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BFA6
                                • PathFileExistsA.SHLWAPI(?), ref: 0040BFB3
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                • API String ID: 1133728706-4073444585
                                • Opcode ID: e02571ccf1d8d7642eb7522d4ecac0f64e4039cdab1393baceb5a006cb27889d
                                • Instruction ID: a06d8339010b4a31413dea3cf8b7af81beee50618fccc2c871009a62ab4f9f33
                                • Opcode Fuzzy Hash: e02571ccf1d8d7642eb7522d4ecac0f64e4039cdab1393baceb5a006cb27889d
                                • Instruction Fuzzy Hash: BC215230A40219A6CB14F7F1CC969EE77299F50744F80017FE502B71D1EB7D6945C6DA
                                Function 00456BD3 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f00b1ad24c7174d2716471ab0982682010261559510d9071992da7a4292711ea
                                • Instruction ID: d4e598e7927038c57750db0ba161657e9615562456f8c919f0676739ef068bdb
                                • Opcode Fuzzy Hash: f00b1ad24c7174d2716471ab0982682010261559510d9071992da7a4292711ea
                                • Instruction Fuzzy Hash: 931127B2504214BBEB216F768C05D1F7A5CEB86726B52062EFD55C7292DA3CCC0186A8
                                Function 0041B411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                Download Yara Rule
                                APIs
                                • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B438
                                • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B44E
                                • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B467
                                • InternetCloseHandle.WININET(00000000), ref: 0041B4AD
                                • InternetCloseHandle.WININET(00000000), ref: 0041B4B0
                                Strings
                                • http://geoplugin.net/json.gp, xrefs: 0041B448
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleOpen$FileRead
                                • String ID: http://geoplugin.net/json.gp
                                • API String ID: 3121278467-91888290
                                • Opcode ID: 1661cbeefb0a869a332648ab78465cd06cd4488e6fb953d598e5471a89dc2fb2
                                • Instruction ID: e320c318363c88f1c040182635621d8729538b68a2f0080144892bf513bd3cc2
                                • Opcode Fuzzy Hash: 1661cbeefb0a869a332648ab78465cd06cd4488e6fb953d598e5471a89dc2fb2
                                • Instruction Fuzzy Hash: 011198311053126BD224AB269C49EBF7F9CEF86765F10043EF945A2282DB689C44C6FA
                                Function 0041C482 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C4DE
                                • CloseHandle.KERNEL32(00000000), ref: 0041C4EA
                                • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C4FB
                                • CloseHandle.KERNEL32(00000000), ref: 0041C508
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseHandle$CreatePointerWrite
                                • String ID: xpF
                                • API String ID: 1852769593-354647465
                                • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                • Instruction ID: 0233a984b642d2e84dd4fc2cab076f06cd7f632185dc4648213adf39284592b7
                                • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                • Instruction Fuzzy Hash: 6311E571288215BFE7104A24ACC8EBB739CEB46365F10862BF912D22D0C624DC418639
                                Function 00450F7A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00450CC1: _free.LIBCMT ref: 00450CEA
                                • _free.LIBCMT ref: 00450FC8
                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                • _free.LIBCMT ref: 00450FD3
                                • _free.LIBCMT ref: 00450FDE
                                • _free.LIBCMT ref: 00451032
                                • _free.LIBCMT ref: 0045103D
                                • _free.LIBCMT ref: 00451048
                                • _free.LIBCMT ref: 00451053
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                • Instruction ID: 345e916fd15b447c36d88a7a8914fd19e4c3e0710e9d23c2e9f19f8556552687
                                • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                • Instruction Fuzzy Hash: C111D231402704AAE621BB72CC03FCB779CAF03304F454D2EBEA967153C7ACB4185654
                                Function 0041119E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                • std::_Lockit::_Lockit.LIBCPMT ref: 004111AB
                                • int.LIBCPMT ref: 004111BE
                                  • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                  • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                • std::_Facet_Register.LIBCPMT ref: 004111FE
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 00411207
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00411225
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                • String ID: (mG
                                • API String ID: 2536120697-4059303827
                                • Opcode ID: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                                • Instruction ID: b4facbf35e110c19f3eede998f69f9310dce987b63f856d60fe44c7d5fb17b17
                                • Opcode Fuzzy Hash: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                                • Instruction Fuzzy Hash: 42112732900114A7CB14EB9AD8018DEB7699F44364F11456FF904F72E1DB789E45CBC8
                                Function 0043A3DA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,?,0043A3D1,0043933E), ref: 0043A3E8
                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A3F6
                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40F
                                • SetLastError.KERNEL32(00000000,?,0043A3D1,0043933E), ref: 0043A461
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLastValue___vcrt_
                                • String ID:
                                • API String ID: 3852720340-0
                                • Opcode ID: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                • Instruction ID: 228fd8bb196f6ae1284969ba5442ea73dc67404c1df350b3d70410c0baad6fb0
                                • Opcode Fuzzy Hash: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                • Instruction Fuzzy Hash: 87019C322483515EA61027797C8A62B2648EB293B9F30523FF518805F1EF984C90910D
                                Function 004075EB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                Download Yara Rule
                                APIs
                                • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe), ref: 0040760B
                                  • Part of subcall function 00407538: _wcslen.LIBCMT ref: 0040755C
                                  • Part of subcall function 00407538: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                • CoUninitialize.OLE32 ref: 00407664
                                Strings
                                • [+] before ShellExec, xrefs: 0040762C
                                • C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe, xrefs: 004075EB, 004075EE, 00407640
                                • [+] ucmCMLuaUtilShellExecMethod, xrefs: 004075F0
                                • [+] ShellExec success, xrefs: 00407649
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: InitializeObjectUninitialize_wcslen
                                • String ID: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                • API String ID: 3851391207-1984807623
                                • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                • Instruction ID: e4e7d1672fbddd81374e29e92f863be8f9bad83f72bb7a306ddb251afa86686e
                                • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                • Instruction Fuzzy Hash: 4501D272B087116BE2246B65DC4AF6B3748DB41B25F11053FF901A62C1EAB9FC0146AB
                                Function 0040BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BB18
                                • GetLastError.KERNEL32 ref: 0040BB22
                                Strings
                                • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAE3
                                • UserProfile, xrefs: 0040BAE8
                                • [Chrome Cookies not found], xrefs: 0040BB3C
                                • [Chrome Cookies found, cleared!], xrefs: 0040BB48
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: DeleteErrorFileLast
                                • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                • API String ID: 2018770650-304995407
                                • Opcode ID: 40cbd1d017226246a01c6e55be9682f761922b1e96e2188b9bd7b4daff8d9f2f
                                • Instruction ID: 5dee569c6883bfd73109a670bb68234af0f28e4caad238985ba957b2c74b96e7
                                • Opcode Fuzzy Hash: 40cbd1d017226246a01c6e55be9682f761922b1e96e2188b9bd7b4daff8d9f2f
                                • Instruction Fuzzy Hash: 5B01DF71A402055BCA04B7B6CC1B9BE7B24E922704B50017FF502726D6FE3E5D0986CE
                                Function 0040729B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                Download Yara Rule
                                Strings
                                • Rmc-PXKO50, xrefs: 00407715
                                • C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe, xrefs: 004076FF
                                • xdF, xrefs: 004076E4
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe$Rmc-PXKO50$xdF
                                • API String ID: 0-1959094821
                                • Opcode ID: 76fb36a6468107bc6bcf7edae7d85ad02bbabba37b75d9201cd6870646e6a122
                                • Instruction ID: 5ffff352cfcc2e87221e4fa572a01d73507d198e899e6baa5594ec663d9dd15d
                                • Opcode Fuzzy Hash: 76fb36a6468107bc6bcf7edae7d85ad02bbabba37b75d9201cd6870646e6a122
                                • Instruction Fuzzy Hash: 8DF02BB0E04600EBCB1477345D296AA3656A780397F40487BF507EB2F2EBBD5C41871E
                                Function 0043AB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                Download Yara Rule
                                APIs
                                • __allrem.LIBCMT ref: 0043ACE9
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD05
                                • __allrem.LIBCMT ref: 0043AD1C
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD3A
                                • __allrem.LIBCMT ref: 0043AD51
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD6F
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                • String ID:
                                • API String ID: 1992179935-0
                                • Opcode ID: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                • Instruction ID: c7cd181284538591ee8af1586cca3d38175ba7b34bac8e5aa56d350f01832762
                                • Opcode Fuzzy Hash: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                • Instruction Fuzzy Hash: 5F815972A40B05ABE7209F29CC41B6FB3A99F48324F24152FF591D67C1E77CE910875A
                                Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNEL32(00000000,0040D29D), ref: 004044C4
                                  • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: H_prologSleep
                                • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                • API String ID: 3469354165-3054508432
                                • Opcode ID: fef66e343663587799a4fb7e411b7be832f70b8e55665d4bb62892141d3c40a9
                                • Instruction ID: df1e58e957a7578ae16e417911435538e3341edc64810737793f4aa4f8849b6c
                                • Opcode Fuzzy Hash: fef66e343663587799a4fb7e411b7be832f70b8e55665d4bb62892141d3c40a9
                                • Instruction Fuzzy Hash: A751E171A042106BCA14FB369D0A66E3755ABC4748F00443FFA0A676E2DF7D8E45839E
                                Function 00411D39 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004117D7: SetLastError.KERNEL32(0000000D,00411D57,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 004117DD
                                • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411D72
                                • GetNativeSystemInfo.KERNEL32(?,0040D2DD,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411DE0
                                • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411E04
                                  • Part of subcall function 00411CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CEE
                                • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E4B
                                • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E52
                                • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F65
                                  • Part of subcall function 004120B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                                  • Part of subcall function 004120B2: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 00412129
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                • String ID:
                                • API String ID: 3950776272-0
                                • Opcode ID: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                • Instruction ID: da58ab861bd0a84ec3871346ef31e8b8814b9d9500880b3a3e1890ad13292c25
                                • Opcode Fuzzy Hash: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                • Instruction Fuzzy Hash: F761A270700611ABCB209F66C981BAA7BA5AF44704F14411AFF05877A2D77CE8C2CBD9
                                Function 0044597A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: __cftoe
                                • String ID:
                                • API String ID: 4189289331-0
                                • Opcode ID: d4cf2da0f410fbcc7cbee81c0db44e16d3fe49bd9b5005f3a7d0ddff8059c7c7
                                • Instruction ID: b93b8478136607885b926496a305f1bfb884a7f6acf724e610c81469f19cb9e5
                                • Opcode Fuzzy Hash: d4cf2da0f410fbcc7cbee81c0db44e16d3fe49bd9b5005f3a7d0ddff8059c7c7
                                • Instruction Fuzzy Hash: 2551FD72500605ABFF209B598C81EAF77A8EF45334F25421FF915A6293DB3DD900C66D
                                Function 0041AD09 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD19
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A41F,00000000), ref: 0041AD2D
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD3A
                                • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD6F
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD81
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD84
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                • String ID:
                                • API String ID: 493672254-0
                                • Opcode ID: 465ab7c2e076ec59a8d270df8ce72ad0174e5281a4bfe7e39c5caa5367581a5e
                                • Instruction ID: 77e668261cf9ee2bd18e5a0e87596c089765e66a1be6d3c981f75cbf7ed2a716
                                • Opcode Fuzzy Hash: 465ab7c2e076ec59a8d270df8ce72ad0174e5281a4bfe7e39c5caa5367581a5e
                                • Instruction Fuzzy Hash: A7016D311462157AD6111B34AC4EFFB3B6CDB02772F10032BF625965D1DA68CE8195AB
                                Function 00448295 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                • _free.LIBCMT ref: 004482CC
                                • _free.LIBCMT ref: 004482F4
                                • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                • _abort.LIBCMT ref: 00448313
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$_free$_abort
                                • String ID:
                                • API String ID: 3160817290-0
                                • Opcode ID: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                • Instruction ID: 8d34d3ffa9a8a5ca7629c839d325bdddc3ef58a145117f7ac1d0225592351e3a
                                • Opcode Fuzzy Hash: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                • Instruction Fuzzy Hash: 8EF0A435101B006BF611772A6C06B6F26599BD3B69F36042FFD18962D2EF6DCC42816D
                                Function 0041AB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB46
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB5A
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB67
                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB76
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB88
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB8B
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ControlManager
                                • String ID:
                                • API String ID: 221034970-0
                                • Opcode ID: f94ae9c5674c9adfc346e263051d54d626d5e40d867c234dda8e9c50f9d09011
                                • Instruction ID: 443f58cffa4f299642b313368f914f767bd977a6fac550f0ec2f38f013616b5a
                                • Opcode Fuzzy Hash: f94ae9c5674c9adfc346e263051d54d626d5e40d867c234dda8e9c50f9d09011
                                • Instruction Fuzzy Hash: E4F0F631541318BBD7116F259C49DFF3B6CDB45B62F000026FE0992192EB68DD4595F9
                                Function 0041AC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC4A
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC5E
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC6B
                                • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC7A
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8C
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8F
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ControlManager
                                • String ID:
                                • API String ID: 221034970-0
                                • Opcode ID: 497ef82d1474d54709910eeaca97da118b40a23fe9dfeecc14ddd5be20b51566
                                • Instruction ID: 80b71cf000cc834045a6d48b23744411b71cc7e49355023a2f572df053a73ec4
                                • Opcode Fuzzy Hash: 497ef82d1474d54709910eeaca97da118b40a23fe9dfeecc14ddd5be20b51566
                                • Instruction Fuzzy Hash: 73F0C231501218ABD611AF65AC4AEFF3B6CDB45B62F00002AFE0992192EB38CD4595E9
                                Function 0041ACA2 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACB1
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACC5
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACD2
                                • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACE1
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF3
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF6
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ControlManager
                                • String ID:
                                • API String ID: 221034970-0
                                • Opcode ID: cf41fc214d4f8651c842d323f4a9434d7ee1c2a315675ff23975f89e6a089888
                                • Instruction ID: 4c72e2560426042a93d841201029be6eaa37955ba2c7d49e75f16ae618c5df44
                                • Opcode Fuzzy Hash: cf41fc214d4f8651c842d323f4a9434d7ee1c2a315675ff23975f89e6a089888
                                • Instruction Fuzzy Hash: 85F0F631501228BBD7116F25AC49DFF3B6CDB45B62F00002AFE0992192EB38CD46A6F9
                                Function 00415B25 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 163COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: CountEventTick
                                • String ID: !D@$,aF$NG
                                • API String ID: 180926312-2771706352
                                • Opcode ID: baf2bdbb86109c289de7cb08416c7fcf6e187b39fb58b4422c9ab025fa7d3668
                                • Instruction ID: 3ac9408315e1e6036cedb879f74fb80cbd33a95067926c5a5f9e9f7d680cff10
                                • Opcode Fuzzy Hash: baf2bdbb86109c289de7cb08416c7fcf6e187b39fb58b4422c9ab025fa7d3668
                                • Instruction Fuzzy Hash: 3E51A5315082019AC724FB32D852AFF73A5AF94304F50483FF54A671E2EF3C5945C68A
                                Function 0040B19F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B1AD
                                • wsprintfW.USER32 ref: 0040B22E
                                  • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: EventLocalTimewsprintf
                                • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                • API String ID: 1497725170-248792730
                                • Opcode ID: 8483a04bfd7ea6baf8cfc170cdd708fd1602994867dd4f0d52e6f9d070939f62
                                • Instruction ID: 4bcbbea8953a56f0834a7592719eb704c83d71ae81c48fe005db4fd1b538d991
                                • Opcode Fuzzy Hash: 8483a04bfd7ea6baf8cfc170cdd708fd1602994867dd4f0d52e6f9d070939f62
                                • Instruction Fuzzy Hash: 88114272404118AACB19AB96EC55CFE77BCEE48315B00012FF506A61D1FF7C5A45C6AD
                                Function 0040A6B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                • Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                • CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseCreateHandleSizeSleep
                                • String ID: XQG
                                • API String ID: 1958988193-3606453820
                                • Opcode ID: bd687066b5cbb8e815070d7a929d8c1079e18074e8845f285221059fdbc6b2c9
                                • Instruction ID: fa029248b1ac628aedb802b18ed81a98d1a4018e107c0b234daa3009ae89debe
                                • Opcode Fuzzy Hash: bd687066b5cbb8e815070d7a929d8c1079e18074e8845f285221059fdbc6b2c9
                                • Instruction Fuzzy Hash: 96110130600740AADA31A734988961F7BA9DB45356F44483EF1866B6D3C67DDC64C71F
                                Function 0041D5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                • GetLastError.KERNEL32 ref: 0041D611
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: ClassCreateErrorLastRegisterWindow
                                • String ID: 0$MsgWindowClass
                                • API String ID: 2877667751-2410386613
                                • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                • Instruction ID: e808ecd18ef19f47bd472c0c6462b34ef8490c58390ad3ae495a6aa035ed2a4b
                                • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                • Instruction Fuzzy Hash: 1F0125B1D00219ABDB00DFA5EC849EFBBBCEA08355F40453AF914A6241EB7589058AA4
                                Function 00407790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004077D6
                                • CloseHandle.KERNEL32(?), ref: 004077E5
                                • CloseHandle.KERNEL32(?), ref: 004077EA
                                Strings
                                • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004077CC
                                • C:\Windows\System32\cmd.exe, xrefs: 004077D1
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandle$CreateProcess
                                • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                • API String ID: 2922976086-4183131282
                                • Opcode ID: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                • Instruction ID: 1887ccd63cb29ce90d3c4a9dee080bc6fb52b3336ad705aa4023eed0db3a7680
                                • Opcode Fuzzy Hash: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                • Instruction Fuzzy Hash: 04F09672D4029C76CB20ABD7AC0EEDF7F3CEBC5B11F00051AF904A2045DA745400CAB5
                                Function 004433DA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 004433FA
                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044340D
                                • FreeLibrary.KERNEL32(00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 00443430
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressFreeHandleLibraryModuleProc
                                • String ID: CorExitProcess$mscoree.dll
                                • API String ID: 4061214504-1276376045
                                • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                • Instruction ID: d7bd46dfab834bb5d48edea7818df211002af85bf4a2e706b61bd78119be3437
                                • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                • Instruction Fuzzy Hash: 4EF04931900208FBDB159F65DC45B9EBF74EF04753F0040A5F805A2251DB758E40CA99
                                Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405140
                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                • String ID: KeepAlive | Disabled
                                • API String ID: 2993684571-305739064
                                • Opcode ID: 79b17cb61ca097f2dd87540d91e49b40a86234966918d688794a6c742f2a43ed
                                • Instruction ID: dc79248355977efa3495ea8e96f68553e1f2867eb32bbe7dc6984d352a193ca4
                                • Opcode Fuzzy Hash: 79b17cb61ca097f2dd87540d91e49b40a86234966918d688794a6c742f2a43ed
                                • Instruction Fuzzy Hash: 5DF06D71904711BBDB203B758D0AAAB7E95AB06315F0009BEF982916E2D6798C408F9A
                                Function 0041AE51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AE83
                                • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE91
                                • Sleep.KERNEL32(00002710), ref: 0041AE98
                                • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AEA1
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: PlaySound$HandleLocalModuleSleepTime
                                • String ID: Alarm triggered
                                • API String ID: 614609389-2816303416
                                • Opcode ID: 7392df8db2022c5dabbdd0a7ddbeb5ff2cdfd3fc416767bfd221d1b9e2b6ff7c
                                • Instruction ID: 264e31dd7f8ae4a58c3cd97330858728e5483d82e525179ed11d996d756d41c5
                                • Opcode Fuzzy Hash: 7392df8db2022c5dabbdd0a7ddbeb5ff2cdfd3fc416767bfd221d1b9e2b6ff7c
                                • Instruction Fuzzy Hash: 3EE0D826A40220779A10337B6D0FD6F3D29CAC3B2570100BFFA05660C2DD540C01C6FB
                                Function 0041CDE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CE7E), ref: 0041CDF3
                                • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE00
                                • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CE7E), ref: 0041CE0D
                                • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE20
                                Strings
                                • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CE13
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Console$AttributeText$BufferHandleInfoScreen
                                • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                • API String ID: 3024135584-2418719853
                                • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                • Instruction ID: 3099d3b49c49d1df3d44327ff87017ee7d1b0803ff7cdb2815dc6b7c28d9377e
                                • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                • Instruction Fuzzy Hash: B6E04872504315E7E31027B5EC4DCAB7B7CE745613B100266FA16915D39A749C41C6B5
                                Function 004413EA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                • Instruction ID: 15e211ccade7fc2a5debfa8ad78d9bfa955d5b29a73147504924d067d3782226
                                • Opcode Fuzzy Hash: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                • Instruction Fuzzy Hash: 2771D4319012569BEB21CF55C884AFFBB75EF55310F19412BE815672A0DB78CCC1CBA8
                                Function 004493E5 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                • _free.LIBCMT ref: 0044943D
                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                • _free.LIBCMT ref: 00449609
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                • String ID:
                                • API String ID: 1286116820-0
                                • Opcode ID: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                • Instruction ID: 45cf5ea20785abb2a7eec221213eb08c1b8584214e6df16efc40294c4842d026
                                • Opcode Fuzzy Hash: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                • Instruction Fuzzy Hash: 1B51EC71900205ABEB14EF69DD819AFB7B8EF44724F20066FE418D3291EB789D41DB58
                                Function 0040F938 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                  • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F956
                                • Process32FirstW.KERNEL32(00000000,?), ref: 0040F97A
                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F989
                                • CloseHandle.KERNEL32(00000000), ref: 0040FB40
                                  • Part of subcall function 0041C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F634,00000000,?,?,00475338), ref: 0041C08B
                                  • Part of subcall function 0041C076: IsWow64Process.KERNEL32(00000000,?,?,?,00475338), ref: 0041C096
                                  • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                  • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FB31
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                • String ID:
                                • API String ID: 2180151492-0
                                • Opcode ID: 7dd0a2589bcf66fb4e05fdbb895c6441c797bb06360a356b71bb4639b4fedce6
                                • Instruction ID: d02cab962e177bd28921c4f9a71df23b762ba7d31cecf8da060328e0f3db66c6
                                • Opcode Fuzzy Hash: 7dd0a2589bcf66fb4e05fdbb895c6441c797bb06360a356b71bb4639b4fedce6
                                • Instruction Fuzzy Hash: 5F4136311083419BC325F722DC51AEFB3A5AF94305F50493EF58A921E2EF385A49C65A
                                Function 00443E99 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID:
                                • API String ID: 269201875-0
                                • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                • Instruction ID: bbec49e9ccdd5c2af131aecc9b6810ea24321c3eb42f74c08fbdd36582e243a3
                                • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                • Instruction Fuzzy Hash: 5F41E232E00200AFEB14DF78C881A5EB3B5EF89B18F1545AEE915EB351D735AE05CB84
                                Function 004511AC Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92), ref: 004511F9
                                • __alloca_probe_16.LIBCMT ref: 00451231
                                • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?), ref: 00451282
                                • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?,00000002,00000000), ref: 00451294
                                • __freea.LIBCMT ref: 0045129D
                                  • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                • String ID:
                                • API String ID: 313313983-0
                                • Opcode ID: bc12763b399a6208d318c17ed7bb5e89049be1fb7aa338cc20da594798c3f730
                                • Instruction ID: f723c28c07ecd650b398e20bb728631ced1c531215915adb10fa1f31571a6cea
                                • Opcode Fuzzy Hash: bc12763b399a6208d318c17ed7bb5e89049be1fb7aa338cc20da594798c3f730
                                • Instruction Fuzzy Hash: F7310331A0020AABDF249F65DC41EAF7BA5EB04701F0445AAFC08E72A2E739CC55CB94
                                Function 0044F3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                Download Yara Rule
                                APIs
                                • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E3
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F406
                                  • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F42C
                                • _free.LIBCMT ref: 0044F43F
                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F44E
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                • String ID:
                                • API String ID: 336800556-0
                                • Opcode ID: 5500135b4103b87c343acc58efff57d349ffb1ffd5e47bf571a7f4768ca97117
                                • Instruction ID: b6d7bf627ac8e1e23e8e90154f8049d5dc13ee9613ce4caf203d647ba434722a
                                • Opcode Fuzzy Hash: 5500135b4103b87c343acc58efff57d349ffb1ffd5e47bf571a7f4768ca97117
                                • Instruction Fuzzy Hash: 2401DF72602721BF37211ABB5C8DC7F6AACDEC6FA5355013AFD04D2202DE688D0691B9
                                Function 00448319 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,00000000,00000000,0043BCD6,00000000,00000000,?,0043BD5A,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044831E
                                • _free.LIBCMT ref: 00448353
                                • _free.LIBCMT ref: 0044837A
                                • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448387
                                • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448390
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$_free
                                • String ID:
                                • API String ID: 3170660625-0
                                • Opcode ID: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                • Instruction ID: 5af5a014564f127a9d6b3613d5887cb4baea3ca98ff5bc54bcf39f1731b7af1a
                                • Opcode Fuzzy Hash: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                • Instruction Fuzzy Hash: 3401F936100B006BB7117A2A5C45E6F3259DBD2B75B35093FFD1892292EF7ECC02812D
                                Function 0041C26E Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C2B9
                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2C4
                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2CC
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseHandleOpen$FileImageName
                                • String ID:
                                • API String ID: 2951400881-0
                                • Opcode ID: e1074fac5642d3b73ea46f905cbac139ffb473db2c7b30d838fbef5372722d9f
                                • Instruction ID: 82f86893bb8475317186349f6084970b7a3011258d8579340058f5d8518f4318
                                • Opcode Fuzzy Hash: e1074fac5642d3b73ea46f905cbac139ffb473db2c7b30d838fbef5372722d9f
                                • Instruction Fuzzy Hash: 9C01F231680215ABD61066949C8AFA7B66C8B84756F0001ABFA08D22A2EF74CD81466A
                                Function 00450A3C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 00450A54
                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                • _free.LIBCMT ref: 00450A66
                                • _free.LIBCMT ref: 00450A78
                                • _free.LIBCMT ref: 00450A8A
                                • _free.LIBCMT ref: 00450A9C
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                • Instruction ID: 72fff71e7c38304dd33e0b5962bcef44c8ad6e5fbb3f6de42623dcf71f8de19c
                                • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                • Instruction Fuzzy Hash: F7F012765053006B9620EB5DE883C1773D9EA157117A68C1BF549DB652C778FCC0866C
                                Function 004440E8 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 00444106
                                  • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                  • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                • _free.LIBCMT ref: 00444118
                                • _free.LIBCMT ref: 0044412B
                                • _free.LIBCMT ref: 0044413C
                                • _free.LIBCMT ref: 0044414D
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                • Instruction ID: 0e9c2896d1a2baf17e4b980eca3efa8a556ca0a6e45d827b59e8921ed08f8926
                                • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                • Instruction Fuzzy Hash: 91F03AB18025208FA731AF2DBD528053BA1A705720356853BF40C62A71C7B849C2DFDF
                                Function 0044E769 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                Download Yara Rule
                                APIs
                                • _strpbrk.LIBCMT ref: 0044E7B8
                                • _free.LIBCMT ref: 0044E8D5
                                  • Part of subcall function 0043BD68: IsProcessorFeaturePresent.KERNEL32(00000017,0043BD3A,00405103,?,00000000,00000000,004020A6,00000000,00000000,?,0043BD5A,00000000,00000000,00000000,00000000,00000000), ref: 0043BD6A
                                  • Part of subcall function 0043BD68: GetCurrentProcess.KERNEL32(C0000417,?,00405103), ref: 0043BD8C
                                  • Part of subcall function 0043BD68: TerminateProcess.KERNEL32(00000000,?,00405103), ref: 0043BD93
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                • String ID: *?$.
                                • API String ID: 2812119850-3972193922
                                • Opcode ID: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                • Instruction ID: bbc13fc8ee10fdca904a4e9292213e09ebfa005f106ef5a16faeda3ce4fd08f7
                                • Opcode Fuzzy Hash: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                • Instruction Fuzzy Hash: C251B175E00209AFEF14DFAAC881AAEF7B5FF58314F24416EE844E7341E6399A018B54
                                Function 00409EDE Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                Download Yara Rule
                                APIs
                                • GetKeyboardLayoutNameA.USER32(?), ref: 00409F0E
                                  • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                  • Part of subcall function 0041C5A6: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F96,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C5BB
                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateFileKeyboardLayoutNameconnectsend
                                • String ID: XQG$NG$PG
                                • API String ID: 1634807452-3565412412
                                • Opcode ID: d2e826c99f8c0848ecd3631a4149e1aeaab31d4119858e34005b206c63bbb2fb
                                • Instruction ID: 86122f73fea86c9dce3a8c8dcd7d10d1556e7c038dfd98f63e082762e027ad1b
                                • Opcode Fuzzy Hash: d2e826c99f8c0848ecd3631a4149e1aeaab31d4119858e34005b206c63bbb2fb
                                • Instruction Fuzzy Hash: 955120315082419BC328FB32D851AEFB3E5AFD4348F50493FF54AA71E2EF78594A8649
                                Function 004434D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe,00000104), ref: 00443515
                                • _free.LIBCMT ref: 004435E0
                                • _free.LIBCMT ref: 004435EA
                                Strings
                                • C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe, xrefs: 0044350C, 00443513, 00443542, 0044357A
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$FileModuleName
                                • String ID: C:\Users\user\Desktop\1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f4d7c739.dat-decoded.exe
                                • API String ID: 2506810119-3383721939
                                • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                • Instruction ID: e5efe6401a3e5f1db0e1141fbbc5a3d1caea7301f6195c2e8eaff0a3f5655f7e
                                • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                • Instruction Fuzzy Hash: D63193B1A00254BFEB21DF9A998199EBBF8EB84B15F10406BF40597311D6B88F41CB99
                                Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                  • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,771B3530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                  • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                  • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                  • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                • Sleep.KERNEL32(000000FA,00465E84), ref: 00404138
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                • String ID: /sort "Visit Time" /stext "$0NG
                                • API String ID: 368326130-3219657780
                                • Opcode ID: 19a75f4089cd682c196d93085774e8610958794b4b53e2c59ee42357a682b9a9
                                • Instruction ID: 7a7c83aa22bf4ff3424ba87d95d637a61540eed1193ecfb54830ab602693969f
                                • Opcode Fuzzy Hash: 19a75f4089cd682c196d93085774e8610958794b4b53e2c59ee42357a682b9a9
                                • Instruction Fuzzy Hash: 2C316371A0011956CB15FBA6DC569ED7375AF90308F00007FF60AB71E2EF785D49CA99
                                Function 0040B783 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                • __Init_thread_footer.LIBCMT ref: 0040B7D2
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Init_thread_footer__onexit
                                • String ID: [End of clipboard]$[Text copied to clipboard]$xdF
                                • API String ID: 1881088180-1310280921
                                • Opcode ID: 961b7b1a26abc7e4daef6f01c6d0dc322bcd9b7c3ee2841ee0eb4e4cc83ad451
                                • Instruction ID: 844f446031992ee5170c212df839aebd4a436c67f2956c9e8fe8aff684c3a130
                                • Opcode Fuzzy Hash: 961b7b1a26abc7e4daef6f01c6d0dc322bcd9b7c3ee2841ee0eb4e4cc83ad451
                                • Instruction Fuzzy Hash: 30217131A102198ACB14FBA6D8929EDB375AF54318F10443FE505771D2EF786D4ACA8C
                                Function 0041631F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                Download Yara Rule
                                APIs
                                • _wcslen.LIBCMT ref: 00416330
                                  • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                  • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                  • Part of subcall function 004138B2: RegCloseKey.KERNEL32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                  • Part of subcall function 00409E1F: _wcslen.LIBCMT ref: 00409E38
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: _wcslen$CloseCreateValue
                                • String ID: !D@$okmode$PG
                                • API String ID: 3411444782-3370592832
                                • Opcode ID: 32b767abda9d74a658984582e830535edcfbd4fa180c3dcb91f0b96cbdeabe52
                                • Instruction ID: 097cdf197a66b89fefcd85ce8a19d7acc75244c7017ebd4eb32b8c3ef24b572d
                                • Opcode Fuzzy Hash: 32b767abda9d74a658984582e830535edcfbd4fa180c3dcb91f0b96cbdeabe52
                                • Instruction Fuzzy Hash: 1E11A571B442011BDA187B32D862BBD22969F84348F80843FF546AF2E2DFBD4C51975D
                                Function 0040C627 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040C4FE: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C658
                                • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C6C3
                                Strings
                                • User Data\Profile ?\Network\Cookies, xrefs: 0040C670
                                • User Data\Default\Network\Cookies, xrefs: 0040C63E
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                • API String ID: 1174141254-1980882731
                                • Opcode ID: 2a38480921e4d6be1d5b2529be3b715cdf247bf3a0a1df31f1585b54042120b5
                                • Instruction ID: a3c4a2fc075df05cc4efb8d324c4514c6f5a9a9113215be8183f294a60e8cc46
                                • Opcode Fuzzy Hash: 2a38480921e4d6be1d5b2529be3b715cdf247bf3a0a1df31f1585b54042120b5
                                • Instruction Fuzzy Hash: 0621E27190011A96CB14FBA2DC96DEEBB7CAE50319B40053FF506B31D2EF789946C6D8
                                Function 0040C6F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040C561: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C727
                                • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C792
                                Strings
                                • User Data\Profile ?\Network\Cookies, xrefs: 0040C73F
                                • User Data\Default\Network\Cookies, xrefs: 0040C70D
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                • API String ID: 1174141254-1980882731
                                • Opcode ID: 48aa145b66dc80a11566b4620fdd9ce13eae5fb2ee34664654c02424daf75182
                                • Instruction ID: 531025beeaae0c5c42121d483a56170e39db3028f8febaf9efde6b64dfa31b71
                                • Opcode Fuzzy Hash: 48aa145b66dc80a11566b4620fdd9ce13eae5fb2ee34664654c02424daf75182
                                • Instruction Fuzzy Hash: 4821127190011A96CB04F7A2DC96CEEBB78AE50359B40013FF506B31D2EF789946C6D8
                                Function 0040A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateThread.KERNEL32(00000000,00000000,0040A2B8,?,00000000,00000000), ref: 0040A239
                                • CreateThread.KERNEL32(00000000,00000000,0040A2A2,?,00000000,00000000), ref: 0040A249
                                • CreateThread.KERNEL32(00000000,00000000,0040A2C4,?,00000000,00000000), ref: 0040A255
                                  • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B1AD
                                  • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateThread$LocalTimewsprintf
                                • String ID: Offline Keylogger Started
                                • API String ID: 465354869-4114347211
                                • Opcode ID: 1e3120ed3182c836d7244f4e95a692e041c786e93486a4ca8bb36869d82516a6
                                • Instruction ID: fa9a7328340dc7f48b0d085764b542104813bfc3ea66268f7111ac5d0199d402
                                • Opcode Fuzzy Hash: 1e3120ed3182c836d7244f4e95a692e041c786e93486a4ca8bb36869d82516a6
                                • Instruction Fuzzy Hash: 1111ABB12003187ED210BB368C87CBB765DDA4139CB40057FF946221C2EA795D14CAFB
                                Function 0040AF29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B1AD
                                  • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040AFA9
                                • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040AFB5
                                • CreateThread.KERNEL32(00000000,00000000,0040A2D0,?,00000000,00000000), ref: 0040AFC1
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateThread$LocalTime$wsprintf
                                • String ID: Online Keylogger Started
                                • API String ID: 112202259-1258561607
                                • Opcode ID: ca68cf39fc6d7dc1a346c019aa3ec03b3636d2d573533672713bc3837481a91b
                                • Instruction ID: 1fd114496b08e8c1d91a2f23279a740fccf8855fe00c80ef0b78f2cd7c44f0e8
                                • Opcode Fuzzy Hash: ca68cf39fc6d7dc1a346c019aa3ec03b3636d2d573533672713bc3837481a91b
                                • Instruction Fuzzy Hash: 2A01C4A07003193EE62076368C8BDBF7A6DCA91398F4004BFF641362C2E97D1C1586FA
                                Function 00406A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406ABD
                                • GetProcAddress.KERNEL32(00000000), ref: 00406AC4
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressLibraryLoadProc
                                • String ID: CryptUnprotectData$crypt32
                                • API String ID: 2574300362-2380590389
                                • Opcode ID: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                • Instruction ID: 59ed3cbb63f31e38ea488d6bd85f24bb9ff1ce5495ed4d1509158228521d53cd
                                • Opcode Fuzzy Hash: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                • Instruction Fuzzy Hash: 2C01B975604216BBCB18CFAD9D449AF7BB4AB45300B00417EE956E3381DA74E9008B95
                                Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                • CloseHandle.KERNEL32(?), ref: 004051CA
                                • SetEvent.KERNEL32(?), ref: 004051D9
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEventHandleObjectSingleWait
                                • String ID: Connection Timeout
                                • API String ID: 2055531096-499159329
                                • Opcode ID: cfa6aba80e3ab73a333b17ef678a4c224e2718187884c1035a1560e2fee3ab95
                                • Instruction ID: b176daa04f7f78a72cd0d213bf0bcd41e0e3849ccec9e2477ca34bbc74fb9340
                                • Opcode Fuzzy Hash: cfa6aba80e3ab73a333b17ef678a4c224e2718187884c1035a1560e2fee3ab95
                                • Instruction Fuzzy Hash: C901F530940F00AFD7216B368D8642BBFE0EF00306704093EE68356AE2D6789800CF89
                                Function 0040E800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                Download Yara Rule
                                APIs
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86E
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Exception@8Throw
                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                • API String ID: 2005118841-1866435925
                                • Opcode ID: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                • Instruction ID: 287a1f786264602a2f100ba68ee8cd07dacd1bfc9ef62352ff5e55a88b78f620
                                • Opcode Fuzzy Hash: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                • Instruction Fuzzy Hash: 59018F626583087AEB14B697CC03FBA33685B10708F10CC3BBD01765C2EA7D6A61C66F
                                Function 0041384F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegCreateKeyW.ADVAPI32(80000001,00000000,004752D8), ref: 0041385A
                                • RegSetValueExW.ADVAPI32(004752D8,?,00000000,00000001,00000000,00000000,004752F0,?,0040F85E,pth_unenc,004752D8), ref: 00413888
                                • RegCloseKey.ADVAPI32(004752D8,?,0040F85E,pth_unenc,004752D8), ref: 00413893
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateValue
                                • String ID: pth_unenc
                                • API String ID: 1818849710-4028850238
                                • Opcode ID: d69e82d7a202b39eabff8c6d6945ecb801863ff8e3666436e459375cd1f846cd
                                • Instruction ID: 9133f253890910ff78e8f434c24b82038cc7026402723a24ca4ec17c3e6d8cb5
                                • Opcode Fuzzy Hash: d69e82d7a202b39eabff8c6d6945ecb801863ff8e3666436e459375cd1f846cd
                                • Instruction Fuzzy Hash: 15F0C271440218FBCF00AFA1EC45FEE376CEF00756F10452AF905A61A1E7759E04DA94
                                Function 0040DFE1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                Download Yara Rule
                                APIs
                                • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFEC
                                • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040E02B
                                  • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 004356EC
                                  • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 00435710
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E051
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                • String ID: bad locale name
                                • API String ID: 3628047217-1405518554
                                • Opcode ID: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                • Instruction ID: 7f9ccd90240ef42149755af47b5df127ed13e8783c268b42739d505c0e35a915
                                • Opcode Fuzzy Hash: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                • Instruction Fuzzy Hash: 77F08131544A085AC338FA62D863DDA73B49F14358F50457FB406268D2EF78BA0CCA9D
                                Function 00416C68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00416C82
                                • ShowWindow.USER32(00000009), ref: 00416C9C
                                • SetForegroundWindow.USER32 ref: 00416CA8
                                  • Part of subcall function 0041CE2C: AllocConsole.KERNEL32(00475338), ref: 0041CE35
                                  • Part of subcall function 0041CE2C: GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                  • Part of subcall function 0041CE2C: ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                  • Part of subcall function 0041CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                                • String ID: !D@
                                • API String ID: 186401046-604454484
                                • Opcode ID: dddbeebbe8cb821cdc8b1c7d2847af7eb141aaddcd72dd608c7fa4ca11ce81ef
                                • Instruction ID: 9f5213224becab59645eda34593d96b16d6ada18beeab21aaf628210512d7754
                                • Opcode Fuzzy Hash: dddbeebbe8cb821cdc8b1c7d2847af7eb141aaddcd72dd608c7fa4ca11ce81ef
                                • Instruction Fuzzy Hash: ECF05E70149340EAD720AB62ED45AFA7B69EB54341F01487BF909C20F2DB389C94865E
                                Function 00416129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041616B
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExecuteShell
                                • String ID: /C $cmd.exe$open
                                • API String ID: 587946157-3896048727
                                • Opcode ID: 16ef31fdaf301ba362d07f058173c5de43aaddf50e1ff7222e4b3bcda840a0cd
                                • Instruction ID: 08f4dee505367bf09000beb2be63de5ecd082ae46aa0e0363999309db21c3e05
                                • Opcode Fuzzy Hash: 16ef31fdaf301ba362d07f058173c5de43aaddf50e1ff7222e4b3bcda840a0cd
                                • Instruction Fuzzy Hash: 5EE0C0B0204305ABC605F675DC96CBF73ADAA94749B50483F7142A20E2EF7C9D49C65D
                                Function 0040B8A4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22fileCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8B1
                                • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8DC
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: DeleteDirectoryFileRemove
                                • String ID: pth_unenc$xdF
                                • API String ID: 3325800564-2448381268
                                • Opcode ID: d40ba35bdc574994431a00040681681ffd5cebc2bb5ef4fca25f9a910d4daf75
                                • Instruction ID: ee660421d7ec44f6c6eaad5e9e1fc6482a22fb53094cf60c5c3e5a772ac54322
                                • Opcode Fuzzy Hash: d40ba35bdc574994431a00040681681ffd5cebc2bb5ef4fca25f9a910d4daf75
                                • Instruction Fuzzy Hash: 5AE04F314006109BC610BB218854AD6335CAB04316F00497BE4A3A35A1DF38AC49D658
                                Function 0040B8E7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                Download Yara Rule
                                APIs
                                • TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                • UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                • TerminateThread.KERNEL32(0040A2A2,00000000,?,pth_unenc), ref: 0040B910
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: TerminateThread$HookUnhookWindows
                                • String ID: pth_unenc
                                • API String ID: 3123878439-4028850238
                                • Opcode ID: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                • Instruction ID: 372ac16de24f92ae7b862ff59389ff52a9cc8b3ac2037ffe6dc6d1e564519698
                                • Opcode Fuzzy Hash: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                • Instruction Fuzzy Hash: 71E01272204315EFD7201F909C888667AADEE1539632409BEF6C261BB6CB7D4C54C79D
                                Function 0044A084 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: __alldvrm$_strrchr
                                • String ID:
                                • API String ID: 1036877536-0
                                • Opcode ID: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                • Instruction ID: 8ce1af842cd152cb2b2428f5d584a25f6c9224aafe101b92c03b71ca88d34985
                                • Opcode Fuzzy Hash: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                • Instruction Fuzzy Hash: 87A156729846829FF721CF58C8817AEBBA5FF15314F2841AFE8859B381D27C8C51C75A
                                Function 00456C9A Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID:
                                • API String ID: 269201875-0
                                • Opcode ID: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                • Instruction ID: 6f8591e81a910498abf0b0e408487d1c0faf04506bf4bd3dd9e850377c22d226
                                • Opcode Fuzzy Hash: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                • Instruction Fuzzy Hash: 34413931B00104AAEB207B7A9C4666F3AB5DF45735F570A1FFD28C7293DA7C481D426A
                                Function 00442851 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                • Instruction ID: b0a34e1ed6630e1fb57c9e62860a3601010315cd62f19612bff23542d182db60
                                • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                • Instruction Fuzzy Hash: 70412AB1600704BFE724AF79CD41B5EBBE8EB88714F10462FF145DB281E3B999058798
                                Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00404DD2
                                • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00404DDB
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                • String ID:
                                • API String ID: 3360349984-0
                                • Opcode ID: 9e0a8eaf4219b775e830663fcb54a959b6233ae16d1ef5de7dcca6256e783451
                                • Instruction ID: 30d48123e17294c38ae6f490953f1b42a5ca81467cb0df1087f173bd09261e59
                                • Opcode Fuzzy Hash: 9e0a8eaf4219b775e830663fcb54a959b6233ae16d1ef5de7dcca6256e783451
                                • Instruction Fuzzy Hash: 684182B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                Function 0040C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • [Cleared browsers logins and cookies.], xrefs: 0040C11F
                                • Cleared browsers logins and cookies., xrefs: 0040C130
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleep
                                • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                • API String ID: 3472027048-1236744412
                                • Opcode ID: 1d84a610968c0f989614364af8c032c8251bfa68e213ae620782c32fadd9a619
                                • Instruction ID: 5a72b8a34604a64e244bad04561a930bad76f77e78bf22f3e088d6afb7384554
                                • Opcode Fuzzy Hash: 1d84a610968c0f989614364af8c032c8251bfa68e213ae620782c32fadd9a619
                                • Instruction Fuzzy Hash: A431A805648381EDD6116BF514967AB7B824A53748F0882BFB8C4373C3DA7A4808C79F
                                Function 00412716 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00413733: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 0041374F
                                  • Part of subcall function 00413733: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                                  • Part of subcall function 00413733: RegCloseKey.ADVAPI32(00000000), ref: 00413773
                                • Sleep.KERNEL32(00000BB8), ref: 004127B5
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenQuerySleepValue
                                • String ID: 8SG$exepath$xdF
                                • API String ID: 4119054056-3578471011
                                • Opcode ID: 01bdf780ec6ac7598780d4fc060e49cfbed0a76d2458a37ef2a8bb80d49c98e5
                                • Instruction ID: 51bf296395b05d3efeb7b41814c334b1d8e13e95dfba71b8de44539041ec8c28
                                • Opcode Fuzzy Hash: 01bdf780ec6ac7598780d4fc060e49cfbed0a76d2458a37ef2a8bb80d49c98e5
                                • Instruction Fuzzy Hash: 3521F4A1B003042BD604B6365D4AAAF724D8B80318F40897FBA56E72D3DFBC9D45826D
                                Function 0040A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041C5E2: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C5F2
                                  • Part of subcall function 0041C5E2: GetWindowTextLengthW.USER32(00000000), ref: 0041C5FB
                                  • Part of subcall function 0041C5E2: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C625
                                • Sleep.KERNEL32(000001F4), ref: 0040A5AE
                                • Sleep.KERNEL32(00000064), ref: 0040A638
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Window$SleepText$ForegroundLength
                                • String ID: [ $ ]
                                • API String ID: 3309952895-93608704
                                • Opcode ID: e3c1de537be80067876ef70e6a789dfde08fa912f151d6d6ce86b7d0ea258fd3
                                • Instruction ID: 6255842b65d5da3793f092b3f1447ea5db7efb23f61c0c2d19f8aa6a86066f85
                                • Opcode Fuzzy Hash: e3c1de537be80067876ef70e6a789dfde08fa912f151d6d6ce86b7d0ea258fd3
                                • Instruction Fuzzy Hash: CB119F315143006BC614BB26CC579AF77A8AB90348F40083FF552661E3EF79AE18869B
                                Function 0041B890 Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: SystemTimes$Sleep__aulldiv
                                • String ID:
                                • API String ID: 188215759-0
                                • Opcode ID: 32d4930cb2be9b30136c829dd369e4a23351f3455ccfda4be26c85d87a7cef4d
                                • Instruction ID: 634937a4cd8d43e921f59083ecd148feda9109121ee8127270144c35be039893
                                • Opcode Fuzzy Hash: 32d4930cb2be9b30136c829dd369e4a23351f3455ccfda4be26c85d87a7cef4d
                                • Instruction Fuzzy Hash: D01133B35043456BC304EAB5CD85DEF779CEBC4358F040A3EF64982061EE29E94986A6
                                Function 00443AD3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                • Instruction ID: 2af8e1c260e5220142bf0b5f8a7e988c949d9a3a1697e0ff4d6bcf25ce69da1b
                                • Opcode Fuzzy Hash: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                • Instruction Fuzzy Hash: 7E01F2B26093557EFA202E786CC2F67630DCB51FBAB31033BB520612D2DB68DD40452C
                                Function 00443B52 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                • Instruction ID: 437de9af4247593539f95cdbb70b1dc5411192884b5f12beac7b10196549b189
                                • Opcode Fuzzy Hash: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                • Instruction Fuzzy Hash: CB01ADB26096527ABA202E796CC5E27634CDB42BBA335037BF821512E3DF68DE054169
                                Function 004485E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue), ref: 00448618
                                • GetLastError.KERNEL32(?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367), ref: 00448624
                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000), ref: 00448632
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: LibraryLoad$ErrorLast
                                • String ID:
                                • API String ID: 3177248105-0
                                • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                • Instruction ID: 239c22332ac31c5199b3ba4764290be2907fca328f5d1df1ca03bb1201a614b6
                                • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                • Instruction Fuzzy Hash: D401FC32602322EBDB618A78EC4495F7758AF15BA2B22093AF909D3241DF24DC01C6EC
                                Function 0041C516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C543
                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041C568
                                • CloseHandle.KERNEL32(00000000), ref: 0041C576
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseCreateHandleReadSize
                                • String ID:
                                • API String ID: 3919263394-0
                                • Opcode ID: ea631e93aeae4d86132659a3c821e70bd950fb822780c369254ddbb306c6d1ec
                                • Instruction ID: 4673af35f3eeaf13de89ae80f5e83caf65f56e40ae5cb47f4621101913e6d1ef
                                • Opcode Fuzzy Hash: ea631e93aeae4d86132659a3c821e70bd950fb822780c369254ddbb306c6d1ec
                                • Instruction Fuzzy Hash: 50F0C2B1241318BFE6101B25ADC9EBB369DDB866A9F10063EF802A22D1DA698D055139
                                Function 004398E3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • ___BuildCatchObject.LIBVCRUNTIME ref: 004398FA
                                  • Part of subcall function 00439F32: ___AdjustPointer.LIBCMT ref: 00439F7C
                                • _UnwindNestedFrames.LIBCMT ref: 00439911
                                • ___FrameUnwindToState.LIBVCRUNTIME ref: 00439923
                                • CallCatchBlock.LIBVCRUNTIME ref: 00439947
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                • String ID:
                                • API String ID: 2633735394-0
                                • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                • Instruction ID: 1eef882e9718bbd9a0ab38cd68ce054dbb3f9d4064fa539f417e17899f1f7293
                                • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                • Instruction Fuzzy Hash: 38010532000109BBCF125F56CC01EDA3BAAEF5C754F05901AF95865221C3BAE862ABA4
                                Function 0041941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                Download Yara Rule
                                APIs
                                • GetSystemMetrics.USER32(0000004C), ref: 0041942B
                                • GetSystemMetrics.USER32(0000004D), ref: 00419431
                                • GetSystemMetrics.USER32(0000004E), ref: 00419437
                                • GetSystemMetrics.USER32(0000004F), ref: 0041943D
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: MetricsSystem
                                • String ID:
                                • API String ID: 4116985748-0
                                • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                • Instruction ID: fd4820a3fb0c8fcfb80096478546269f04700e3de9cdf271d69d174aa35805c7
                                • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                • Instruction Fuzzy Hash: 3FF0A4B1B043155BD700EE758C51A6B6ADAEBD4364F10043FF60887281EFB8DC468B84
                                Function 00438FB1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                Download Yara Rule
                                APIs
                                • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438FB1
                                • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438FB6
                                • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438FBB
                                  • Part of subcall function 0043A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A4CB
                                • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438FD0
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                • String ID:
                                • API String ID: 1761009282-0
                                • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                • Instruction ID: 3a6c9073cd349407f79861cc5a63413a30b4b1af88e8d748f4708d1390bfb410
                                • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                • Instruction Fuzzy Hash: 8DC04C44080381552C50B6B2110B2AF83521C7E38CF9074DFBDD1579474D5D052F553F
                                Function 00442CAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                Download Yara Rule
                                APIs
                                • __startOneArgErrorHandling.LIBCMT ref: 00442D3D
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorHandling__start
                                • String ID: pow
                                • API String ID: 3213639722-2276729525
                                • Opcode ID: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                • Instruction ID: 2abd0c7c8e13d4a8cd2c8141c546921d868ac315c0d238e81b652aa6ec7fde8b
                                • Opcode Fuzzy Hash: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                • Instruction Fuzzy Hash: 92515AE1E0460296FB167714CE4137B6794AB50741F70497BF0D6823EAEA7C8C859B4F
                                Function 004187AA Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMON
                                Download Yara Rule
                                APIs
                                • GdiplusStartup.GDIPLUS(00474ACC,?,00000000,00000000), ref: 004187FA
                                  • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                  • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: GdiplusStartupconnectsend
                                • String ID: ,aF$NG
                                • API String ID: 1957403310-2168067942
                                • Opcode ID: f528667a670eb0aa784238e8f2f3b1944c8efee8d82461bb7a8c2b2bbf64b4b2
                                • Instruction ID: 646e85ae029ebb21aec6d49858a727e037fa7bb3a6359959f193cd142bf324ca
                                • Opcode Fuzzy Hash: f528667a670eb0aa784238e8f2f3b1944c8efee8d82461bb7a8c2b2bbf64b4b2
                                • Instruction Fuzzy Hash: 8E41D4713042015BC208FB22D892ABF7396ABC0358F50493FF54A672D2EF7C5D4A869E
                                Function 00418ACD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                Download Yara Rule
                                APIs
                                • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418AF9
                                  • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                • SHCreateMemStream.SHLWAPI(00000000), ref: 00418B46
                                  • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                  • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                • String ID: image/jpeg
                                • API String ID: 1291196975-3785015651
                                • Opcode ID: 1a6cd23bb326207906ee55eab088e22a045b333238033622bcf03b289c973c7d
                                • Instruction ID: 4d0b5c8bb5c89928ccad9adfa1773eea8e0f3015d74a4b244142dc53e7d0f70c
                                • Opcode Fuzzy Hash: 1a6cd23bb326207906ee55eab088e22a045b333238033622bcf03b289c973c7d
                                • Instruction Fuzzy Hash: B5316D71604300AFC301EF65C884DAFBBE9EF8A304F00496EF985A7251DB7999048BA6
                                Function 00451BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451E12,?,00000050,?,?,?,?,?), ref: 00451C92
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: ACP$OCP
                                • API String ID: 0-711371036
                                • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                • Instruction ID: 09b953eaa346ea86c897215e5a2a15a508f8bcb16f9b984b1dadcb699cf7d301
                                • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                • Instruction Fuzzy Hash: E821D862A80204A6DB36CF14C941BAB7266DB54B13F568426ED0AD7322F73BED45C35C
                                Function 00418BCA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                Download Yara Rule
                                APIs
                                • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418BE5
                                  • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00418C0A
                                  • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                  • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                • String ID: image/png
                                • API String ID: 1291196975-2966254431
                                • Opcode ID: c053decb124affeca1ca8e7c910363171ca68cdd065e9a4048a61e85df625b55
                                • Instruction ID: 3c300d9a249dbea914adbc87700f03e6b767f6cab6163cd9bde1f728fb98d86d
                                • Opcode Fuzzy Hash: c053decb124affeca1ca8e7c910363171ca68cdd065e9a4048a61e85df625b55
                                • Instruction Fuzzy Hash: ED219071204211AFC701AB61CC88CBFBBACEFCA754F10052EF54693261DB399955CBA6
                                Function 00449C70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                Download Yara Rule
                                APIs
                                • GetStdHandle.KERNEL32(000000F6), ref: 00449CBC
                                • GetFileType.KERNEL32(00000000), ref: 00449CCE
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileHandleType
                                • String ID: `Bx
                                • API String ID: 3000768030-721929915
                                • Opcode ID: b34b3b4b83b21344277d15047b5fba51ecc245e821c78927fd7bd009bf1ff183
                                • Instruction ID: 0971e15b3ed75ae4f19990cc7af9cd82d4526e04a272429d5fd5d939a02a2197
                                • Opcode Fuzzy Hash: b34b3b4b83b21344277d15047b5fba51ecc245e821c78927fd7bd009bf1ff183
                                • Instruction Fuzzy Hash: EF11907250475246E7308F3E9CC8223BAD5AB52331B38072BD5B7966F1C328DC82F249
                                Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405030
                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405087
                                Strings
                                • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: LocalTime
                                • String ID: KeepAlive | Enabled | Timeout:
                                • API String ID: 481472006-1507639952
                                • Opcode ID: 6a6dd04c78f1243afd3adc0c709adc44285d3ed02cea83161db4516a3b8aa8d1
                                • Instruction ID: e3b05ee6596aa2f5bef7afedc99ae4e94a3de8d8e2082a6dce2ef35069f0368d
                                • Opcode Fuzzy Hash: 6a6dd04c78f1243afd3adc0c709adc44285d3ed02cea83161db4516a3b8aa8d1
                                • Instruction Fuzzy Hash: 8D2104719107806BD700B736980A76F7B64E751308F44097EE8491B2E2EB7D5A88CBEF
                                Function 0043C140 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID: `Bx
                                • API String ID: 269201875-721929915
                                • Opcode ID: a20b441ddeb67c9ee691f7cf4a146dca50fcbe4cc28fbe4176985be8152cb82c
                                • Instruction ID: 50f29c45267cc5de65db45c76c11a9fc4df43ae0f191c64cb21c29ff245d41fa
                                • Opcode Fuzzy Hash: a20b441ddeb67c9ee691f7cf4a146dca50fcbe4cc28fbe4176985be8152cb82c
                                • Instruction Fuzzy Hash: 9011D371A002004AEF309F39AC81B563294A714734F15172BF929EA3D6D3BCD8825F89
                                Function 00416676 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNEL32 ref: 0041667B
                                • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166DD
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: DownloadFileSleep
                                • String ID: !D@
                                • API String ID: 1931167962-604454484
                                • Opcode ID: 05864501e3066f261fa3773e90e58814017deb9033068c5665e3f6f63e0eedc9
                                • Instruction ID: 05e88009b36717a37a8ab5ea381c0ce1ab0270976c353b8abb87c8adb32aa340
                                • Opcode Fuzzy Hash: 05864501e3066f261fa3773e90e58814017deb9033068c5665e3f6f63e0eedc9
                                • Instruction Fuzzy Hash: F21142716083029AC614FF72D8969AE77A4AF50348F400C7FF546531E2EE3C9949C65A
                                Function 0041B580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: LocalTime
                                • String ID: | $%02i:%02i:%02i:%03i
                                • API String ID: 481472006-2430845779
                                • Opcode ID: 52f1b42f153ed4b644b91f11fc4c23a59010ae0a013f6087acbd7f2f1f111652
                                • Instruction ID: 036da7e0cd4114b6fa9428aab3af546923e8b827a5fb64715830670d2b1b9b5a
                                • Opcode Fuzzy Hash: 52f1b42f153ed4b644b91f11fc4c23a59010ae0a013f6087acbd7f2f1f111652
                                • Instruction Fuzzy Hash: 091190714082455AC304FB62D8519FFB3E9AB84348F50093FF88AA21E1EF3CDA45C69E
                                Function 0041ADA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                Download Yara Rule
                                APIs
                                • PathFileExistsW.SHLWAPI(00000000), ref: 0041ADCD
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: alarm.wav$hYG
                                • API String ID: 1174141254-2782910960
                                • Opcode ID: f7e91bfaf8b99ac86c10a1af32db07f645763c2e3290c42acfcbd5bd632e7d00
                                • Instruction ID: 4122455f09fb97d0238bc6f6df8f07100adf7eded08faacdf9dae369850c3b42
                                • Opcode Fuzzy Hash: f7e91bfaf8b99ac86c10a1af32db07f645763c2e3290c42acfcbd5bd632e7d00
                                • Instruction Fuzzy Hash: 6401B57078831156CA04F77688166EE77959B80718F00847FF64A162E2EFBC9E59C6CF
                                Function 0040B08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B1AD
                                  • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                  • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                • CloseHandle.KERNEL32(?), ref: 0040B0EF
                                • UnhookWindowsHookEx.USER32 ref: 0040B102
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                • String ID: Online Keylogger Stopped
                                • API String ID: 1623830855-1496645233
                                • Opcode ID: 5c1ef11ff9a74ffdec2b51700aff9b60d5214403fdce7dbdd5e2d5b2d04e2712
                                • Instruction ID: 2c7fc3a8f12b1f8c565497f75251163d8124a4eac963031352a4caf2a1bdec21
                                • Opcode Fuzzy Hash: 5c1ef11ff9a74ffdec2b51700aff9b60d5214403fdce7dbdd5e2d5b2d04e2712
                                • Instruction Fuzzy Hash: 6F01F530600610ABD7217B35C81B7BE7B729B41304F4004BFE982265C2EBB91856C7DE
                                Function 00449ADC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(-0006D41D,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                • DeleteCriticalSection.KERNEL32(?,?,?,?,?,0046EB40,00000010,0043C225), ref: 00449B3E
                                • _free.LIBCMT ref: 00449B4C
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: CriticalSection$DeleteEnter_free
                                • String ID: `Bx
                                • API String ID: 1836352639-721929915
                                • Opcode ID: c4858f147dca3af98ff3072a35a331021ffe480fa2ea49ad75237c67703f4d69
                                • Instruction ID: 49f98359192604db3700e7d46e2ee0879056decf89b11c46129577f8840becb7
                                • Opcode Fuzzy Hash: c4858f147dca3af98ff3072a35a331021ffe480fa2ea49ad75237c67703f4d69
                                • Instruction Fuzzy Hash: C3115E31500214DFEB20DFA8E846B5D73B0FB04724F10455AE8599B2E6CBBCEC429B0D
                                Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                Download Yara Rule
                                APIs
                                • waveInPrepareHeader.WINMM(0077DE98,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                                • waveInAddBuffer.WINMM(0077DE98,00000020,?,00000000,00401A15), ref: 0040185F
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: wave$BufferHeaderPrepare
                                • String ID: XMG
                                • API String ID: 2315374483-813777761
                                • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                Function 0044382C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID: $G
                                • API String ID: 269201875-4251033865
                                • Opcode ID: 0435164efccf50aa8117c2daa51ec46fe1437c867187ee89b2aa6ea167946eb6
                                • Instruction ID: 4a6f060c21597e0392f33703011e6e0157da39883ddad7ec559e06d861eb6f1f
                                • Opcode Fuzzy Hash: 0435164efccf50aa8117c2daa51ec46fe1437c867187ee89b2aa6ea167946eb6
                                • Instruction Fuzzy Hash: 64E0E532A0152014F6713A3B6D1665B45C68BC1B3AF22423FF425962C2DFAC8946516E
                                Function 00448B66 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • IsValidLocale.KERNEL32(00000000,kKD,00000000,00000001,?,?,00444B6B,?,?,?,?,00000004), ref: 00448BB2
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: LocaleValid
                                • String ID: IsValidLocaleName$kKD
                                • API String ID: 1901932003-3269126172
                                • Opcode ID: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                • Instruction ID: c774fcfd7954269485cc3e12fd2bed3330e0a6a7af379781e67d062e13931268
                                • Opcode Fuzzy Hash: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                • Instruction Fuzzy Hash: 9BF05230A80708FBDB016B60DC06FAE7B54CB44B12F10007EFD046B291DE799E0091ED
                                Function 0040C4FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                • API String ID: 1174141254-4188645398
                                • Opcode ID: 67a37633ad4a3934eb7a9710067efd7b2c9a9b469ed032209e18e61634ff2717
                                • Instruction ID: 9b0ec594f197676e752fca63164bf20e3c748e9c9f1ad615e42e10c79405690b
                                • Opcode Fuzzy Hash: 67a37633ad4a3934eb7a9710067efd7b2c9a9b469ed032209e18e61634ff2717
                                • Instruction Fuzzy Hash: FEF05E30A00219A6CA04BBB69C478AF7B289910759B40017FBA01B21D3EE78994586DD
                                Function 0040C561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                • API String ID: 1174141254-2800177040
                                • Opcode ID: 7414731bf553168197ebf71208b97339720711320eac3921dee6b082f9eb1638
                                • Instruction ID: ebfb9b6c20c42028ef61fa2b9513503d2b9bf0243ac81fc6585c9643e3935da3
                                • Opcode Fuzzy Hash: 7414731bf553168197ebf71208b97339720711320eac3921dee6b082f9eb1638
                                • Instruction Fuzzy Hash: F1F05E70A0021AE6CA04BBB69C478EF7B2C9910755B40017BBA01721D3FE7CA94586ED
                                Function 0040C5C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5F7
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: AppData$\Opera Software\Opera Stable\
                                • API String ID: 1174141254-1629609700
                                • Opcode ID: 8000172e7e681251177a335894fd2e2a37e3823944c94c6a399ddcaad00f7658
                                • Instruction ID: 695210f55460e2722832162fecb8267ed9c5d90cd61684e29202a639a57ef244
                                • Opcode Fuzzy Hash: 8000172e7e681251177a335894fd2e2a37e3823944c94c6a399ddcaad00f7658
                                • Instruction Fuzzy Hash: 38F05E30A00219D6CA14BBB69C478EF7B2C9950755F1005BBBA01B21D3EE789941C6ED
                                Function 00443885 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID: $G
                                • API String ID: 269201875-4251033865
                                • Opcode ID: c3cbfa58486471b9b0b5450975d814376b4bfcef5d9edc52bbd6be3dc13577df
                                • Instruction ID: 5d396c1abc39b18bdc3e623667384c8b5cce6391ee106473ff554fc58991571d
                                • Opcode Fuzzy Hash: c3cbfa58486471b9b0b5450975d814376b4bfcef5d9edc52bbd6be3dc13577df
                                • Instruction Fuzzy Hash: 7CE0E532A0652041F675763B2D05A5B47C55FC2B3AF22033BF028861C1DFEC494A606E
                                Function 0040B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • GetKeyState.USER32(00000011), ref: 0040B686
                                  • Part of subcall function 0040A41B: GetForegroundWindow.USER32 ref: 0040A451
                                  • Part of subcall function 0040A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                  • Part of subcall function 0040A41B: GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                  • Part of subcall function 0040A41B: GetKeyState.USER32(00000010), ref: 0040A46E
                                  • Part of subcall function 0040A41B: GetKeyboardState.USER32(?), ref: 0040A479
                                  • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A49C
                                  • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                  • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                • String ID: [AltL]$[AltR]
                                • API String ID: 2738857842-2658077756
                                • Opcode ID: fa93664948dcb0f020004388e922df39f0c15565708f89507acb73c0046c3751
                                • Instruction ID: d407634c764e35d79823ffb94670adf82ecea3c262ef0a09b09082b5b6a355d5
                                • Opcode Fuzzy Hash: fa93664948dcb0f020004388e922df39f0c15565708f89507acb73c0046c3751
                                • Instruction Fuzzy Hash: B2E0652171032052C859363D592FABE2D11CB41B64B42097FF842AB7D6DABF4D5543CF
                                Function 004161C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161E3
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExecuteShell
                                • String ID: !D@$open
                                • API String ID: 587946157-1586967515
                                • Opcode ID: eb4567e96d42521689c96e83ef1aa2a6a7df05ac31277aa5078135f6cb8d6bca
                                • Instruction ID: 3b2857edeaddefe186f4a0a52e989bb70d7a4cfa1db765b6d796ce97600c5b03
                                • Opcode Fuzzy Hash: eb4567e96d42521689c96e83ef1aa2a6a7df05ac31277aa5078135f6cb8d6bca
                                • Instruction Fuzzy Hash: 4AE012712483059AD214EA72DC92EFEB35CAB54755F404C3FF506524E2EF3C5C49C66A
                                Function 0040B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • GetKeyState.USER32(00000012), ref: 0040B6E0
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: State
                                • String ID: [CtrlL]$[CtrlR]
                                • API String ID: 1649606143-2446555240
                                • Opcode ID: 533432bc897d172b5aee8caafc533d6d1d6dab6a7602291f4f1d8f3613ae2efb
                                • Instruction ID: b338140f060b4cc34328e336f8905ed3f99262ec5dadafe534bff25dd27afc5e
                                • Opcode Fuzzy Hash: 533432bc897d172b5aee8caafc533d6d1d6dab6a7602291f4f1d8f3613ae2efb
                                • Instruction Fuzzy Hash: CFE04F2160072052C5243A7D561A67A2911C7C2764F41057BE9826B7C6DABE891452DF
                                Function 0043C218 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00449ADC: DeleteCriticalSection.KERNEL32(?,?,?,?,?,0046EB40,00000010,0043C225), ref: 00449B3E
                                  • Part of subcall function 00449ADC: _free.LIBCMT ref: 00449B4C
                                  • Part of subcall function 00449B7C: _free.LIBCMT ref: 00449B9E
                                • DeleteCriticalSection.KERNEL32(00784240), ref: 0043C241
                                • _free.LIBCMT ref: 0043C255
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$CriticalDeleteSection
                                • String ID: `Bx
                                • API String ID: 1906768660-721929915
                                • Opcode ID: 63eb8731bacd2bc92b6a517d3705648d3868340f9125810a73be92756070acfe
                                • Instruction ID: 53b3c8965ed62865b06495ab0c988fe80dbb580c75aaeb32feec7d00177b517a
                                • Opcode Fuzzy Hash: 63eb8731bacd2bc92b6a517d3705648d3868340f9125810a73be92756070acfe
                                • Instruction Fuzzy Hash: F8E04F328145208FEB71BB69FD4595A73E4EB4D325B12086FF80DA3165CAADAC809B4D
                                Function 0040E7DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                • __Init_thread_footer.LIBCMT ref: 00410F64
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: Init_thread_footer__onexit
                                • String ID: ,kG$0kG
                                • API String ID: 1881088180-2015055088
                                • Opcode ID: bf6eaf7ad603c651630b5b847c32adb66bdf614d62153d48efbad85f1494e607
                                • Instruction ID: 52a075922dd803dc3791164d579436726ad124eb3de8ddc986de269a183bf650
                                • Opcode Fuzzy Hash: bf6eaf7ad603c651630b5b847c32adb66bdf614d62153d48efbad85f1494e607
                                • Instruction Fuzzy Hash: A8E0D8315149208EC514B729E542AC53395DB0E324B21907BF014D72D2CBAE78C28E5D
                                Function 00413A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D17F,00000000,004752D8,004752F0,?,pth_unenc), ref: 00413A6C
                                • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00413A80
                                Strings
                                • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A6A
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: DeleteOpenValue
                                • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                • API String ID: 2654517830-1051519024
                                • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                • Instruction ID: 8a242acd51d06e7ce72e997358fe7bb9804e2c240f13b939b69747d851efcbee
                                • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                • Instruction Fuzzy Hash: FFE0C231244208FBEF104FB1DD06FFA7B2CDB01F42F1006A9BA0692192C626CE049664
                                Function 0041288B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                • WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: ObjectProcessSingleTerminateWait
                                • String ID: pth_unenc
                                • API String ID: 1872346434-4028850238
                                • Opcode ID: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                                • Instruction ID: 30425768eaae71e8f6d4d073063fb5581f05561c6d480f36d281b696a9d2b878
                                • Opcode Fuzzy Hash: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                                • Instruction Fuzzy Hash: DBD01234149312FFD7310F60EE4DB443B589705362F140361F439552F1C7A589D4AB58
                                Function 00440CE1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D77
                                • GetLastError.KERNEL32 ref: 00440D85
                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440DE0
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide$ErrorLast
                                • String ID:
                                • API String ID: 1717984340-0
                                • Opcode ID: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                • Instruction ID: 51be13377619d21db21fabe69686c0ed70cae26876ac5a8e773c252addda8789
                                • Opcode Fuzzy Hash: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                • Instruction Fuzzy Hash: 2D412670A00212AFEF218FA5C8447BBBBA4EF41310F2045AAFA59573E1DB399C31C759
                                Function 00411B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                Download Yara Rule
                                APIs
                                • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411BC7
                                • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411C93
                                • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411CB5
                                • SetLastError.KERNEL32(0000007E,00411F2B), ref: 00411CCC
                                Memory Dump Source
                                • Source File: 00000001.00000002.3788466746.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000001.00000002.3788436473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788538108.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788580504.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000001.00000002.3788640155.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_400000_1728239645797292025226e9acb49e89d83573a2cc0d27d167f28d4f30183138d9571f.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLastRead
                                • String ID:
                                • API String ID: 4100373531-0
                                • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                • Instruction ID: 65e884089caabfe283b2879acbb60db065d5dd9ad58be7743d127bf22715a70c
                                • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                • Instruction Fuzzy Hash: 60419D716443059FEB248F19DC84BA7B3E4FF44714F00082EEA4A876A1F738E845CB99